The year-2000 computer problem is not just about interest rate miscalculations, transaction errors, or malfunctioning security vaults.

It is also about safety and soundness.

Because any such problems can inhibit normal operations, bank regulators say, the millennial bug threatens financial institutions' viability.

As a result, the computer flaw has created a whole new area of regulatory oversight. In addition to scrutinizing how banks are fixing their computers, regulators are requiring banks to investigate their customers and vendors.

The stakes are high. Financial institutions receiving a less-than- satisfactory year-2000 rating from regulators - around 20% fit this description so far - are being put on a tight remedial leash.

Possibly the area most affected by year-2000 oversight will be bank mergers, a system-compatibility challenge even before considering the year- 2000 component. The glitch could derail the roaring locomotive of consolidations that is expected to continue through the year.

If banks fail to keep pace with agency demands, regulators warn, they risk diminished Camel ratings, and even closure.

Already, regulators say the year-2000 issue is forcing them to put merger and acquisition applications under the microscope.

"We're going to look very carefully at any merger, as are the other agencies, to make sure that the resultant bank will be Y2K-ready," said Michael J. Zamorski, deputy director of the Federal Deposit Insurance Corp.'s supervision division.

"If they are not, I would think the merger would not be allowed, but it would depend on a lot of circumstances," he added.

Banks rated "needs improvement" or "unsatisfactory" on their year-2000 on-site exams face an even stricter review on M&A applications than their peers. For example, they must confer with banking agencies before entering into an M&A agreement and cannot use expedited forms.

According to a Federal Reserve Board guidance letter, such institutions "should be focusing their resources on correcting their deficiencies rather than diverting their resources by engaging in expansionary activities."

Mark O'Dell, head of the year-2000 task force at the Comptroller's Office, said the agency has yet to reject an M&A application on the basis of year-2000 concerns and would not speculate on future rejections.

But he did say that "mergers are going to be more difficult to successfully complete, particularly on mergers of similarly sized institutions where one of those institutions has serious year-2000 problems."

Like other regulators interviewed, Mr. O'Dell denied there would be a cut-off date for merger approvals, saying such decisions would be made on a case-by-case basis.

While regulators are demanding a lot from banks - and rightfully so - they have been slow to tell the banks what to do.

Critics point in particular to the delayed release of key guidance - and to the fact that year-2000 examiners have yet to visit and evaluate a number of banks.

Take year-2000 testing - a function the Bank for International Settlements called "the most critical and complex issue facing the financial industry." Banks must complete written testing plans and strategies by June 30, and must substantially complete testing of their so- called "mission-critical" systems by Dec. 31 - a term, by the way, that regulators have only loosely defined.

But bank employees and officers preparing to test their systems only recently learned what the regulators want. Why? Because the supervisory guidance was not approved for release until April 9.

Similarly, guidance on contingency plans - the steps a bank, thrift, or credit union might take if unanticipated errors occur - is not expected to be released until April 30.

According to Jack L. Brock Jr., director of government and defense information systems at the General Accounting Office, the regulators' guidance is a year late in coming.

"Hopefully, banks have already taken action a long time ago," he said in a recent interview. "If in fact they did nothing, they're too late."

"We wanted to make sure that the policy ramifications are thoroughly thought through," explained Mr. O'Dell, one of the authors of the year-2000 guidance. As a result, "some of this comes out a little bit later than it needs to."

Another key problem is that regulators have yet to examine and rate thousands of banks on their year-2000 compliance efforts. True, regulators have until June 30 to complete all exams (the same date that banks' testing plans are due). But until a bank receives its rating - "satisfactory," "needs improvement," or "unsatisfactory" - it does not know whether it is in compliance.

Gregory Kobus, chairman and president of $50-million Hawthorn Bank, Mundelein, Ill., said in mid-April that the FDIC had yet to schedule his bank for a year-2000 exam.

"We await it. We've been trying to be Y2K-sensitive," he said. "It'd be nice to know, to get a confirmation from the regulators that we're doing a good job." Mr. Kobus was unaware that testing guidance had been approved four days earlier.

For banks whose year-2000 efforts are insufficient, the delay can be damaging. Remedial assistance and other regulatory oversight of those scoring "needs improvement" or "unsatisfactory" does not begin until their ratings are issued.

As of April 1, for example, some 1,700 institutions supervised by the FDIC were still in year-2000 limbo.

To be sure, the agencies have a tough job on their hands. They must:

*Conduct a year-2000 exam of every financial institution.

*Issue half a dozen carefully worded statements to banks on how to conduct their year-2000 remediation efforts.

*Evaluate the readiness of vendors who provide data processing and related services to banks.

*Maintain close follow-up contact with institutions that are not in compliance.

*Report to Congress, which is keeping them on a tight reporting leash.

Compared with other industries, many observers say bank regulators and banks themselves are doing a very good job. "I think that the . . . federal financial regulators generally are far and away the most aggressive on year-2000," said Robert Cohen, vice president of the International Technology Association of America.

But for some banks, the regulators' delays may prove pivotal.

They are already thinking ahead to the day when they may have to pursue enforcement actions against banks for year-2000 noncompliance. Earlier this year, a cease-and-desist order was issued to three banks at a technologically troubled Georgia holding company for year-2000-related reasons, a move that one observer said was "somewhat choreographed" to warn other financial institutions.

"The key point is, they are not going to wait for a failure," said John V. McIsaac, president of Market Partners Inc., a firm that provides year- 2000 training to bank examiners.

Mr. McIsaac added that bank regulators were leaning toward a trigger date in mid-1999. While appropriate actions for that date have not yet been decided, one possible move would be public identification of noncompliant banks, such as through a cease-and-desist order. Such a disclosure could lead to deposit runs at those banks and a resulting decline in book value, making the institutions a good takeover target - a situation the regulators would not at all mind.

"This process is positive," said Mr. McIsaac. "Weak banks will be ferreted out and dealt with to insure the overall health of the banking industry."

But regulators first must establish whether they have the authority to seize a bank because of technological failure as opposed to insolvency.

"The question is, how do you apply unsafe and unsound in a year-2000 readiness context," explained the FDIC's Mr. Zamorski.

Mr. Zamorski says that discussion has not yet been resolved.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.