Securities Industry and Year 2000
Home | Previous Page
Report to the Congress on the
Readiness of the United States Securities Industry and Public Companies
To Meet the Information Processing Challenges of the Year 2000
United States Securities and Exchange Commission
June 1997
Note: This material has been superseded by two subsequent reports:
Third Report on the Readiness of the United States Securities Industry and Public Companies To Meet the Information-Processing Challenges of the Year 2000," released July 1999.
Second Report on the Readiness of the United States Securities Industry and Public Companies To Meet the Information-Processing Challenges of the Year 2000," released June 1998.
Table of Contents
Executive Summary
I.
Introduction
II.
The SEC's Regulatory Environment
III.
The Securities Industry and the Year 2000 Challenge
IV.
The SEC's Year 2000 Task Force
V.
Methodology for Preparing the Report
VI.
Findings
Self-Regulatory Organizations
The Broker-Dealer, Transfer Agent, Investment Adviser, and Investment Company Communities
Auditing, Independence and Accounting Considerations
Disclosure by Public Companies
Disclosure by Investment Companies and Investment Advisers
The SEC's Internal Systems
VII.
SEC Continuing Actions
VIII.
Subsequent Reports to the Congress
Exhibits
Footnotes
Executive Summary
The staff of the Securities and Exchange Commission (SEC), in response to an inquiry from Congressman John Dingell, has undertaken a coordinated examination of the state of its internal preparedness as well as that of the nation's securities industry and public companies to properly handle the information processing challenges associated with the upcoming millennium change. This report presents the staff's findings as to the current state of readiness, their position with respect to corporate disclosure as it relates to the Year 2000 issue, actions they intend to continue to take to reduce the risk associated with the Year 2000 problem, and the staff's plans to meet future reporting requirements.
The Report is the result of the collaborative efforts of an SEC Task Force comprised of representatives of six SEC divisions and offices: the Divisions of Corporation Finance, Investment Management and Market Regulation; and the Offices of The Executive Director, Compliance Inspections and Examinations, and The Chief Accountant. The Office of Information Technology, which chairs the Task Force and is responsible for SEC internal systems, is a part of the Office of the Executive Director. The work of the Task Force and the findings of the report are organized along the lines of the regulatory or operational responsibilities of each participating office or division.
The United States securities industry is massive in size and complex in function. It is characterized by a heavy reliance on computerized information processing technology and by the extensive interdependencies that exist among its own membership as well as by its reliance upon both the United States and the global banking communities. Timely, accurate information and information exchanges are at the center of the industry's very existence. Because of the serious consequences that would result from any failure to properly prepare for and successfully negotiate the challenge of the millennium changeover, it is imperative that all participants succeed in their system remediation efforts.
Before discussing findings, it is important that one essential principle be understood:
It is not, and will not, be possible for any single entity or collective enterprise to represent that it has achieved complete Year 2000 compliance and thus to guarantee its remediation efforts. The problem is simply too complex for such a claim to have legitimacy. Efforts to solve Year 2000 problems are best described as "risk mitigation." Success in the effort will have been achieved if the number and seriousness of any technical failures is minimized, and they are quickly identified and repaired if they do occur.
The SEC's Year 2000 Task Force has relied heavily upon the existing efforts of agency divisions and offices and the Self-regulatory Organizations (SROs) that are essential to the SEC's public-private regulatory partnership, as well as upon the work and efforts of industry trade groups such as the Securities Industry Association (SIA) and the Investment Company Institute (ICI). Both of these organizations are particularly well positioned to assist their members and to facilitate SEC fact-finding, and both have been helpful and cooperative in the preparation of this report.
The SIA is also working with its membership (the broker-dealer community, clearing firms, transfer agents, securities information processors and others) to stimulate awareness, and to ensure adequate preparations throughout the entire industry by structuring what it refers to as "street-wide" testing. This testing will involve many of the firms and organizations engaged in order placement, execution, clearing and settlement, and it is critical to the ultimate success of this particular effort.
Addressing the Year 2000 problem within any organization proceeds along a spectrum of activities that can be condensed into:
Awareness,
Assessment,
Remediation,
Internal Testing,
Integrated Testing and
Implementation.
Internal testing and integrated testing with one's partners in information exchanges are almost universally acknowledged as the most difficult, expensive and time consuming components of addressing the Year 2000 issue. Estimates of the proportion of resources that will be devoted to testing are generally in the range of between 50 and 70 percent of the entire Year 2000 effort.
As a general proposition, the majority of the members of the securities industry are involved in the assessment and remediation phases of the effort. Some firms are further ahead, a few are finished and some are only now reaching awareness. Most observers agree, however, that remediation efforts are not at the point they ideally should be. A summary of findings for each area of inquiry is provided below:
Self-Regulatory Organizations:
The Division of Market Regulation has performed a review of the exchanges, Nasdaq, and clearing organizations (SROs) regarding their progress in preparing for the Year 2000. The areas reviewed included: 1) planning; 2) impact and risk analysis; 3) configuration management; 4) data conversion; 5) testing and debugging; and 6) contingency planning. Overall, the Division found that most SROs are making adequate progress toward preparing their computer systems for the Year 2000. All the SROs are aware of the Year 2000 problem, and have begun planning how they will address it. A few SROs, however, need to give this problem a greater priority. The Division plans to conduct on-going surveys of all SROs, to ensure that they remain on schedule. The Division has incorporated Year 2000 issues into its routine reviews of SRO automated systems, and will continue to monitor SRO progress towards correcting Year 2000 problems.
The Broker-Dealer, Transfer Agent, Investment Adviser, and Investment Company Communities:
The Office of Compliance Inspections and Examinations (OCIE) is responsible for conducting the SEC's nationwide compliance inspections and examinations program for regulated entities, as authorized by the Securities Exchange Act of 1934, the Investment Company Act of 1940 and the Investment Advisers Act of 1940. These entities include brokers, dealers, transfer agents, investment companies and investment advisers.
The Commission's program in this area has consisted of three inter-related actions. First, Commissioners and staff have taken steps to focus industry attention on the issue. Second, OCIE and the SEC's Year 2000 Task Force have worked with SROs to foster remedial action by the SROs' member firms. Finally, OCIE has developed and utilized an examination module for heightening registrants' awareness of the problem.
Throughout these efforts, the staff has not passed judgment on the various approaches to the Year 2000 problem being developed by registrants, consultants and vendors. The examination staff is not equipped make such judgments, and attempting to do so could chill development of the creative market-based solutions that are now being made available. However, the staff has worked to ensure widespread industry awareness of the problem, and to foster remedial action, both through its own actions and through SROs.
OCIE's examination findings suggest that the industry is well aware of the problem and is responding appropriately. Of the 44 clearing broker-dealers examined pursuant to the Year 2000 module, 43 (97%) indicated that they were already taking remedial steps or that such steps were planned. Of the 371 investment advisers and investment companies so examined, 314 (85%) gave similar responses. Finally, of the 29 transfer agents so examined, 27 (93%) gave similar responses. Thus, in all three areas, the vast majority of registrants indicated that they were either taking or planning corrective action.
Auditing, Independence and Accounting Considerations:
The Task Force considered the Year 2000 preparations and preparedness in relation to the public companies filing financial statements with the SEC. In this regard, the existing auditing, independence, and accounting standards relating to these financial statements were reviewed to determine their adequacy for the protection of investors in connection with this very large and unusual problem. The Task Force also discussed any special preparations, either already taken or in progress, with the American Institute of Certified Public Accountants. In addition, discussions were held with representatives of industry and others in the accounting and auditing profession. The Task Force concluded that accounting and auditing standards exist to alert management, investors and other users of financial information as to the seriousness of the problem, and to initiate action to remedy the situation if this has not already begun.
Disclosure:
The Divisions of Corporation Finance and Investment Management have examined whether it is necessary or appropriate to initiate rulemaking in order to assure adequate disclosure by public companies about Year 2000 activities, expenditures, and the risk of potential adverse consequences of failure to complete necessary remediation. They have concluded that current laws and regulations are sufficient to cover public companies' reporting obligations as they pertain to the impact, to the extent that it is material, of Year 2000 problems on operations and costs.
The SEC's Internal Systems
The SEC's Office of Information Technology (OIT) has assembled its project team which has completed its inventory and first level assessment of all central systems. Each system has been prioritized into a mission-critical or non-mission-critical category. A second level assessment of each system has been conducted to determine if it: 1) is already Year 2000 compliant, 2) should be eliminated, replaced or rewritten, or 3) needs further assessment and possible remediation. Summary results are as follows:
Total Number of Mission Critical Systems:
53
Total Number of Mission Critical Systems Currently Compliant:
14
Total Number of Mission Critical Systems To Be Eliminated, Replaced or Rewritten:
1
Total Number of Mission Critical Systems Still Requiring Remediation:
38
The SEC's EDGAR (Electronic Data Gathering, Analysis and Retrieval) system is among those systems that are currently compliant and therefore presents no problems or issues to the filing community or to internal or external users of EDGAR data.
Since much of the remediation work on SEC internal systems will be completed by third party vendors, OIT is finalizing a request for proposals (RFP). OIT's timeline calls for all work to be completed by December 1998.
Continuing SEC Activities
With respect to its regulated entities, the SEC will continue its examinations and inspections programs to ensure that securities markets participants continue to address the Year 2000 problem vigorously. The staff will work closely with the SROs and follow the progress and findings of their membership inspection programs as well. Finally, the SEC will continue to work with and follow the progress of the SIA as it prepares for and coordinates its members through its street-wide testing program.
With respect to the issue of corporate and investment company disclosure, the SEC intends to monitor the adequacy of disclosure relating to Year 2000 activity as a part of its normal, ongoing review program to determine on an ongoing basis whether or not the current requirements are sufficient and are being complied with.
I. Introduction
This staff report has been prepared in response to a request from Congressman John Dingell made to Securities and Exchange Commission (SEC) Chairman Arthur Levitt dated December 6, 1996. This is the first of three annual reports to the Congress. The report addresses the issue of the extent to which the SEC, the securities industry and public reporting companies are prepared to meet the challenges posed to all users of computerized information systems by the approaching millennium change.
II. The SEC's Regulatory Environment
The actions the SEC has taken, and will continue to take, in response to the problems presented by the Year 2000 issue are authorized by and must conform to the statutes under which the agency was established and operates.
The SEC was established under the Securities Exchange Act of 1934 as an independent, nonpartisan, quasijudicial regulatory agency charged with administering federal securities laws. The purpose of these laws is to protect investors in securities markets that operate fairly and to ensure that investors have access to disclosure of all material information concerning publicly traded securities. The Commission also regulates firms engaged in the purchase or sale of securities, people who provide investment advice, and investment companies. The Commission derives its authorities from and enforces the following laws:
Securities Act of 1933: The Securities Act of 1933 requires that investors receive financial and other information concerning securities being offered for public sale.
Securities Exchange Act of 1934: This Act requires that investors have access to current financial and other information regarding securities, particularly those that trade publicly on exchanges or over-the-counter. Rules concerning the operation of the markets and participants, including proxy solicitations by companies and shareholders, tender offers and buying securities on credit (margin), are also part of this Act.
Investment Company Act of 1940: Activities of companies, including mutual funds, engaged primarily in investing, reinvesting, and trading in securities, and whose own securities are offered to the investing public, are subject to certain statutory prohibitions and to Commission regulation under this Act. Public offerings of investment company securities must be registered under the Securities Act of 1933.
Investment Adviser Act of 1940: This law contains provisions similar to those in the Securities Exchange Act governing the conduct of securities brokers and dealers and requires that persons or firms compensated for advising others about securities investment must register with the Commission and conform to statutory standards designed to protect investors.
Public Utility Holding Company Act of 1935: Interstate holding companies engaged, through subsidiaries, in the electric utility business or in retail distribution of natural or manufactured gas are subject to regulation under this Act.
Trust Indenture Act of 1939: This Act applies to debt securities, including debentures and notes, offered for public sale. Even though such securities may be registered under the Securities Act, they may not be offered for sale to the public unless a formal agreement between the issuer of the bonds and the bondholder, known as a trust indenture, conforms to the statutory standards of this act.
The SEC, pursuant to these statutes and through its implementing rules, oversees and regulates the U.S. securities industry and capital markets. As a small agency of less than 2800 staff, the SEC accomplishes its regulatory objectives and responsibilities, to a large extent, through a public-private partnership. The Commission sets standards for market structure and the obligations of securities firms, while much of the direct, day-to-day regulation of securities market participants is done by the firms themselves and by industry self-regulatory organizations under SEC oversight. This system of shared regulation between the SEC and industry allows the SEC to help ensure that our capital markets (in which more than $10 trillion is now invested) continue to operate in the open, honest and efficient manner American investors have come to expect and rely upon.
III. The Securities Industry and the Year 2000 Challenge
With over 58 million shareholders of record participating in markets experiencing nearly 200 billion shares being traded annually, it is critical that the computer systems upon which our securities market participants rely be prepared to deal with the challenges presented by the change in millennium.
IV. The SEC's Year 2000 Task Force
In response to the request to report to the Congress on the progress being made by the securities industry to prepare for the Year 2000, the SEC established a Task Force comprised of representatives of six SEC divisions and offices: the Divisions of Corporation Finance, Investment Management and Market Regulation; and the Offices of The Executive Director, Compliance Inspections and Examinations, and The Chief Accountant. The Office of Information Technology, which chairs the Task Force and is responsible for SEC internal systems, is a part of the Office of the Executive Director. The work of the Task Force and the findings of the report are organized along the lines of the regulatory or operational responsibilities of each participating office or division. The representatives of each office not only helped guide the work of the Task Force as a group, but also assumed the burden of preparing sections of the report which pertain specifically to the work and responsibilities of their particular office.
V. Methodology for Preparing the Report
The approach of the Task Force to gathering information and fact finding was to (1) take full advantage of existing information inside the agency, and (2) to work with and interview industry groups and market participants with broad or unique perspectives to offer. In all, the Task Force dealt with the following six external organizations, each of which was helpful in developing an assessment of industry readiness.
Organization
Date
Comments
National Association of Securities Dealers (NASD)
March 19
Discussion concentrated on how NASD was progressing with their internal systems, and the approach they were taking with respect to inspecting member firms.
Investment Company Institute (ICI)
March 26
Discussion dealt with ICI's membership and their readiness for Year 2000. ICI offered to share with the SEC the results of a survey they were preparing. These results are included as a part of this report.
DST Systems, Inc.
April 8
DST Systems is a large information processor that provides extensive service to the mutual fund industry. They do the processing for some 43 million investor accounts which is between 33 and 40 percent of all mutual fund investor accounts. (Portfolio and investor account processing is highly concentrated in the mutual fund industry and is a positive element in ensuring Year 2000 readiness. DST, itself began preparing for the Year 2000 in 1989 and is presently well positioned to avoid processing problems.)
KPMG Peat Marwick
April 18
The discussions with the representative from KPMG were helpful in providing a view of the Year 2000 problem as seen from the perspective of outside consultants.
Securities Industry Association (SIA)
April 24
The SIA provided the SEC Task Force with extensive information on the role they are playing in coordinating Year 2000 testing among the exchanges, clearing corporations, depositories, broker-dealers, industry service bureaus and others.
New York Stock Exchange
May 6
Discussions with NYSE centered on their approach to dealing with member firm inspection and the manner in which they planned to use internal NYSE surveillance staff to monitor progress.
VI. Findings
Self-Regulatory Organizations
The Division of Market Regulation has performed a review of the exchanges, Nasdaq, and clearing organizations (SROs) regarding their progress in preparing for the Year 2000. The areas reviewed included: 1) planning; 2) impact and risk analysis; 3) configuration management; 4) data conversion; 5) testing and debugging; and 6) contingency planning. Overall, the Division found that most SROs are making adequate progress toward preparing their computer systems for the Year 2000. All the SROs are aware of the Year 2000 problem, and have begun planning how they will address it. A few SROs, however, need to give this problem a greater priority. The Division plans to conduct on-going surveys of all SROs, to ensure that they remain on schedule. The Division has incorporated Year 2000 issues into its routine reviews of SRO automated systems, and will continue to monitor SRO progress towards correcting Year 2000 problems.
Described below are the areas of Year 2000 conversion that the Division is monitoring at the SROs.
1. Planning
The first step in addressing the Year 2000 computer problem is to establish a full time Year 2000 Project Team. The team should consist of a project leader and technical members. To complement the team's efforts, a Steering Committee should also be established to gain executive level support and sponsorship.
The next step in planning is to develop and implement a project plan noting objectives, work steps, and estimated time frames to complete the work steps. This plan should be approved by the Board of Directors with a separate budget dedicated to Year 2000 efforts.
2. Impact and Risk Analysis
The purpose of the Impact Analysis is to gather and analyze the systems information in order to determine the size and scope of the problem. This phase will result in a list of systems and interfaces which require modifying software, the extent of the required modifications, and a detailed inventory of all programs and hardware. A risk analysis is needed at this stage to facilitate setting priorities. In the risk analysis, each entity should identify the mission critical systems and focus its attention on such systems. "Mission critical" systems are those systems that, if they are inoperable for any length of time or generate erroneous data, would cause great disruption to the organization.
3. Configuration Management
Configuration Management exists to ensure that changes in computer systems take place in an identifiable and controlled environment, and that they do not adversely affect existing systems. A good configuration management system is crucial to the success of any action taken to correct Year 2000 problems. New software code must be identified and controlled during conversion. Once an application reaches compliance, the configuration management system functions as the gatekeeper to prevent programmers from implementing noncompliant changes. Without strong configuration management controls, these changes may go unnoticed until the supposedly compliant application fails in production.
4. Data Conversion
Data conversion software tools consist of two separate products: file conversion and source conversion. File and source conversion do not interact with one another, but may be used together logically in the Year 2000 solution. File conversion software automates and simplifies the conversion of any file that can be produced in a sequential format. Source conversion software eliminates the manual effort required to locate date lines of code that are candidates for change. The source conversion tools automate the analysis required of source code to locate date definitions and trace their usage. The software should be able to identify potential date processing problems areas, and have report capabilities that also support general maintenance functions.
5. Testing and Debugging
Testing will account for 45-50% of SROs' effort to correct the Year 2000 problem. The financial community is currently working on a definition for "street-wide-testing". Although street-wide testing is ultimately required for all applications, many preliminary tests can be conducted through a test environment that simulates a "live" scenario.
Although most SROs have made adequate progress in developing testing plans, there are certain areas where more progress is needed. For example, testing Year 2000 modified software will require a separate, dedicated test environment on which conditions prior, during, and after the change of century can be simulated, including the leap year condition in the year 2000. In addition to testing for application, systems and utility software compliance, the SROs need adequate capacity to accommodate the needed testing and affects of Year 2000 on its various systems.
Finally, regression tests will need to be performed to identify unpredicted changes to other portions of the systems, i.e., testing that systems not only handle the Year 2000 dates correctly, but that they also correctly perform all the other functions they were designed to accomplish. Regression testing needs to retest even unchanged parts or programs of the system.
6. Contingency Planning
Contingency plans must be made and implemented if it appears as if the rollover process will be delayed, or outside vendors won't adequately address the problem, or otherwise can't deliver the fixes. The SROs need to provide for adequate protections as part of contingency plans to ensure the success of critical systems if interfaces fail or unexpected problems are experienced with operating systems and infrastructure software. Rollover must be done in a non-production environment to ensure that historical files are not corrupted.
The SROs generally appear to be on track with the Year 2000 conversion process. Almost all have a special Year 2000 Project Team and most have dedicated budgets for the Year 2000 effort. Most SROs have also already performed the impact and risk analysis studies. A substantial majority have completed a plan for data conversion and have planned for, or have established, some form of configuration management. The Division has spoken to the few SROs that trail the others in these areas regarding the need for them to hasten their progress. The Division is monitoring the SROs' plans for testing, debugging, and contingency planning. Although these activities are not part of the initial phase of the Year 2000 conversion, the Division wants to ensure that the SROs are developing adequate testing and contingency plans.
|
|
