For discussion
on 7 December 1998

Purpose

This paper informs members of the progress which the financial services sector in Hong Kong has made to tackle the year 2000 (Y2K) problem.

Year 2000 Problem

2. The Y2K problem arises from the past practice adopted by the information technology industry of referring to the year by its last two digits (e.g. "98" to mean "1998") in the design of computer systems. The use of the two-digit approach was mainly to economise the use of computer storage and processing power which were relatively expensive in the old days. The Y2K problem generally refers to computers or systems with date-coding facilities being unable to correctly interpret dates from and including Y2K. The computers or systems may continue to function with errors or misleading information, disrupt other related computers or systems, or cause total computer or system failure.

3. As in most other sectors, computer systems are widely used in the financial services sector to handle dates for financial computation, sorting, and for comparison, assessment and validation of complex calculations, timely reminders and key date adjustments. The banking and securities industries, in particular, rely heavily on computer systems and networks, including internal systems and external systems connected with them, in their day-to-day operations, clearing and settlement of financial transactions and payments, information management and other back office support services. They also need the support of many other systems with embedded date-coding chips to maintain their operations, such as communication equipment, water chill systems, backup lighting and power generators.

Steering Committee on Y2K Compliance in the Financial Services Sector

4. The Administration is fully aware of the importance of the Y2K issue and the significant impact it may have on various economic and social sectors and the community as a whole. For the financial services sector, the Secretary for Financial Services appointed a Steering Committee in March 1998 to co-ordinate the sector's efforts in, among other things, ensuring that the core financial infrastructural systems achieve as far as possible Y2K compliance in time.

5. The Steering Committee is chaired by the Deputy Secretary for Financial Services and comprises representatives from the following organisations -

• Hong Kong Monetary Authority (HKMA)
• The Hong Kong Association of Banks
• Hong Kong Interbank Clearing Limited (HKICL)
• Securities and Futures Commission (SFC)
• The Stock Exchange of Hong Kong (SEHK)
• Hong Kong Futures Exchange Limited (HKFE)
• Hong Kong Securities Clearing Company Limited (HKSCC)
• Information Technology and Broadcasting Bureau
• Information Technology Services Department
• Office of the Commissioner of Insurance (OCI)

6. The terms of reference of the Steering Committee are at Annex 1.

7. The Steering Committee has set up three subcommittees under it to better monitor the progress of Y2K compliance work of various industries in the financial services sector or of other sectors which services are essential to the operation of the financial services sector. These subcommittees are the Banking Subcommittee, the Securities and Futures Subcommittee and the Utilities and Facilities Subcommittee.

8. We have posted information about the work of the Steering Committee and its members on our website (www.info.gov.hk/fsb/year2000) for public information.

Y2K Supervisory Initiatives of Financial Regulators

Hong Kong Monetary Authority

9. The HKMA is responsible for the regulation of the banking industry. It has placed the Y2K issue on top of its supervisory agenda. Since August 1996, the HKMA has made extensive supervisory efforts to make sure that all Authorized Institutions (AIs) understand their obligations to ensure Y2K compliance and that they take necessary steps to achieve it. Regular on-site examinations, off-site reviews and surveys have been conducted to monitor the compliance progress of the AIs. In the "Best Practice Guide on Financial Disclosure by Authorized Institutions 1997" issued by the HKMA, all locally incorporated AIs, except the smaller Restricted Licence Banks and Deposit-taking Companies, have been required to disclose information in relation to the Y2K problem in their annual accounts for financial years ending on or after 31 December 1997. More recently, the HKMA has also extended the disclosure requirements on Y2K progress to both local and overseas incorporated institutions.

10. The HKMA has established 31 December 1998 as the deadline by which all AIs are expected to be Y2K compliant. Each AI is expected by this deadline to have completed the modification and testing of individual systems, and tested the interaction of modified systems with the institution's other systems with which they interface directly. This will then enable institutions to undertake wider testing that may be required during 1999, including that with external parties.

11. Since April 1998, the HKMA has been implementing a number of new supervisory measures to address the banking sector's obligation to be Y2K compliant. These include independent assessment (i.e. by on-site examination, review by external auditors, internal auditors or other independent parties), formal statements by chief executives of AIs, co-operation with overseas supervisory authorities and issue of formal warning letters to those AIs which exhibit less than satisfactory or poor performance in their Y2K projects.

Securities and Futures Commission

12. The SFC is the regulator of the securities and futures markets. On the Y2K issue, the SFC has been focusing its efforts on three areas -

1. to ensure that the key providers of shared financial systems ¹ of the local securities and futures industry (i.e. SEHK, HKFE and HKSCC) have taken adequate actions to address the Y2K problem relating to the major shared financial systems (e.g. the trading systems, clearing and settlement systems) operated by them;
   
   
2. to ensure that all intermediaries registered with the SFC (including members of the two Exchanges and non-member firms) have taken all necessary steps to rectify their systems affected by the Y2K problem; and
   
   
3. to ensure that other market participants, like listed companies and share registrars, have also taken steps to tackle the problem.

13. Since June 1998, the SFC has started on-site inspection to assess intermediaries' Y2K readiness. After each inspection, intermediaries are given a management letter identifying key deficiency areas and a Y2K methodology to follow. The two Exchanges have started similar inspection reviews on their members since July 1998. The SEHK has also imposed a mandatory disclosure requirement on listed companies to make detailed disclosure of their Y2K readiness in the annual and interim reports for financial periods ending after 30 June 1998.

14. In September 1998, the SFC sent out a Y2K information package to all registered intermediaries under its direct supervision. The information package serves to remind the registered intermediaries of the urgency and importance of the problem and the need to complete rectification work in time, to provide useful reference for tackling the Y2K problem, to seek information on Y2K status and to ask for file of a quarterly progress report. The SEHK and the HKFE have also issued similar information packages to their members. Starting from November 1998, the SFC has started another round of on-site review on the Exchanges and clearing houses to ensure that their Y2K compliance work has been progressing according to their plan.

Office of the Commissioner of Insurance

15. The OCI is responsible for the regulation of the insurance industry. To promote the awareness of insurers and insurance brokers (collectively referred to as the Insurance Institutions) of the Y2K problem, the OCI has conducted a series of surveys and seminars since June 1997 (i) to require the Insurance Institutions to evaluate the impact of the problem on their computer systems and to establish rectification project plans, and (ii) to follow up on the progress made by them on such plans. The Insurance Institutions are expected to achieve Y2K compliance by 31 December 1998.

16. The OCI has commenced conducting on-site visits to all the Insurance Institutions since February 1998 to ensure that progress is made in accordance with the project plans. The OCI also checks the quality of the acceptance testing carried out by the Insurance Institutions.

17. Commencing from the third quarter of 1998, the Insurance Institutions are required to report their up-to-date Y2K status to the OCI on a quarterly basis. The OCI has issued circular letters to all Authorised Insurers to require them to disclose their Y2K readiness status in their annual financial statements for the year ended 31 December 1998 for the information of the public.

Summary Report on External Testing Activities

18. As an important step forward, the Steering Committee compiled in September 1998 a Summary Report on the Y2K External Testing Activities in the Financial Services Sector in Hong Kong. The Report basically takes inventory of Y2K ² external testing activities which have been or are being planned by services providers of major shared financial systems . A copy of the Report is at Annex 2. We have also posted an electronic copy of it on our website for public information. We plan to update the Report in February and April 1999 respectively.

Readiness of Shared Financial Systems

19. In the banking industry, the interbank payment systems operated by the HKICL are already Y2K compliant. The HKICL completed in early November 1998 a series of external end-to-end testing of the interbank payment systems in collaboration with Hongkong Telecom, involving a total of 13 Y2K-related dates. No Y2K exceptions have been identified in those tests. Two further rounds of tests are being planned in 1999 for banks wishing to re-test their systems, including those which have been enhanced.

20. In the securities and futures industry, all the major financial systems operated by the SEHK, HKFE and HKSCC are already Y2K compliant. Industry-wide testing of these systems, involving the securities and futures firms, has been scheduled for January, March and June 1999. A pilot test will be conducted in mid December 1998 to lay the ground work for the industry-wide testing.

Readiness of Financial Institutions

21. The HKMA, the SFC and the OCI have asked all the financial institutions under their respective supervision (over 1,800 in total) to submit returns on the progress of their Y2K programmes. The latest returns showing the position as at end September 1998 in respect of system rectification work completed and target compliance date for mission critical systems ⁴ are summarised in Table 1 and Table 2 below.

Table 1 : Progress of Y2K Rectification Work for Mission Critical Systems



Table 2 : Target Compliance Date for Mission Critical Systems



22. According to the SFC, the relatively slower progress in the securities and futures industry is attributed to the large number of firms involved, variation in their sizes and level of sophistication in the application of information technology. Specifically, there are about 1,300 registered intermediaries in the securities and futures industry, engaging in various types of business activities such as securities dealing, futures trading, leveraged forex trading, fund management and investment advisory services. The majority of them are small and medium sized companies with varying degree of sophistication in using information technology in their business. Given the relatively large number of registered intermediaries and the diversity of their backgrounds, the SFC expects that some firms will lag behind others in meeting the targeted milestones. The SFC and the two Exchanges have set up monitoring procedures to identify registered intermediaries which fall into this category.

23. The financial regulators are very concerned about the financial institutions which are unlikely to achieve Y2K compliance for the mission critical systems by the respective deadlines. The HKMA has issued formal warning to the chief executives of some of the AIs and required them to take every effort to achieve compliance by the stated deadline. The HKMA has made it clear to these institutions that if it appears that not every effort has been made to achieve compliance, it will consider using its statutory powers under the Banking Ordinance to enforce compliance with the deadline.

24. In the securities and futures industry, both the SFC and the two Exchanges have reminded registered intermediaries on a number of occasions that a registered person who fails to take appropriate action to address the Y2K issue may impugn the registrant's fitness and properness to remain registered with the SFC. The SFC and the Exchanges are determined to take action against registered intermediaries whose Y2K problem poses risks to investors and the market. Action may include appointment of external consultants, restriction of business and suspension or revocation of registration or membership.

25. In the insurance industry, the OCI would consider taking interventionary actions (including limiting business volume) of those insurers who might fail to achieve Y2K compliance nearer the time.

The Way Forward

26. Looking ahead, we plan to review and monitor, through the Subcommittees set up under the Steering Committee, the adequacy, thoroughness and progress of Y2K external testing activities of the major shared financial systems. We will see if there are any material gaps or duplications in the testing activities and, if so, how such activities can be improved. Careful consideration will also be given to ascertain the need for additional testing activities. We will also make reference to best practices being put in place among the international financial community.

27. In parallel, we have started the preparation work for reviewing the contingency plans of market regulators and major shared financial systems, and for the development of detailed contingency plans for the financial services sector as a whole to address the Y2K problem. We aim to finalise the contingency plans and the necessary rehearsal arrangements in the third quarter of 1999 at the latest.


Financial Services Bureau
December 1998

Annex 1

Steering Committee on Year 2000 Compliance
in the Financial Services Sector

Terms of reference

1. In order to ensure as far as possible that the core infrastructural systems in the financial services sector achieve Year 2000 compliance in time,
   
   
   1. to inventorise the systems that need to be worked on including impact assessment and prioritisation into critical and non-critical systems;
      
      
   2. to identify the work that needs to be done;
      
      
   3. to draw up a work programme to achieve as far as possible compliance in time;
      
      
   4. to monitor progress; and
      
      
   5. to resolve problems encountered during the process.
      
      
2. To co-ordinate the effort on the part of financial services regulators in enhancing Year 2000 readiness of the institutions under their respective purview including but not limited to promotion of awareness, establishment of targets and benchmarks for the industries, monitoring progress and making status assessment.
   
   
3. To identify the need for industry-wide co-ordination regarding resource, legal and technical aspects and consider necessary actions; in particular, to co-ordinate as necessary any industry-wide testing exercise and draw up contingency plans.
   
   
4. To keep in view the progress of Year 2000 compliance of services and utilities providers and raise concern with the Information Technology and Broadcasting Bureau and relevant parties if the systems of the financial services sector are affected.
   
   
5. To keep in view the progress of Year 2000 compliance of international organisations which have close relations with the systems of the financial services sector in Hong Kong.

1. Shared financial systems are financial systems accessible by a large number of financial institutions, e.g. interbank payment systems, and the trading, clearing and settlement systems for securities and futures transactions.

2. External testing means tests conducted to verify the interaction of internally tested systems with counterparts and external systems.

3. Rectification work means modification or replacement of hardwares and softwares to achieve Y2K compliance, including internal testing of individual systems and interaction of modified systems with the organisation's other systems with which they interface directly.

4. A system is considered mission critical if it causes substantial loss (either in terms of money or time) or serious disruption of business when it is in default.

5. Consolidated figures for rectification work not available.