Business Risk of the Bug
The specter of a complete, world-wide halt to financial activity sounds like the plot of a less than promising spy thriller. However, several years ago information technology experts predicted something very similar would happen when the internal clocks on our computer systems reach 12:00 a.m., January 1, 2000. Termed the "Millennium Bug," or the Year 2000 (Y2K) problem, the potential cataclysm concerns the inability of most computer systems to recognize or calculate a year using a four digit format. Most computers were programmed to store only the last two digits of a year ("95" instead of "1995"); as a result, systems compute erroneous numbers when they start using "00" to subtract or divide in calculations.
How pervasive is this problem really? According to the Federal Financial Institutions Examination Council (FFIEC), which has worked extensively on the problem since 1995, it could cause failures in any software system, communications system, or operations system (such as environmental control systems, security systems, and vault locking systems) that was not programmed to anticipate the coming millennium. The FFIEC has formulated and widely disseminated guidelines and strategies for coping with Y2K problems, has imposed regulations mandating the adoption of appropriate "2K Plans," and is actively monitoring compliance through a system of sanctions.
Though current efforts to address the Y2K problem will surely avert financial system disaster, Y2K problems will still occur. Whether it is because of unforeseen internal problems, suppliers' or customers' system failures or the acceptance of incompatible outside transmissions, many experts believe that even the most prepared institutions will still experience reduced productivity in the year 2000. The extensive use and connectivity of computer systems in all business environments make such Y2K problems inevitable.
Lending institutions will be particularly vulnerable as they are prime examples of entities that have used computer technology to transform operating procedures and exponentially increase productivity. This transformation has left the banking industry highly dependent on computer systems needed to perform even the most simple functions. When one adds to this internal dependency the multitude of business partners that financial institutions rely on both within the industry (other commercial and investment banks, trustees, etc.) and outside the industry (couriers, printers, law firms, maintenance firms, etc.), it becomes clear why the FFIEC is threatening monetary and other sanctions against any institution that is not ready to function properly in the coming millennium. Enough broken links in the chain could paralyze the entire industry.
When productivity is affected, obligations go unfulfilled, orders unexecuted, funds untransferred, and bills unpaid. Litigation ensues. Therefore, an important challenge presented by the Millennium Bug is the determination of appropriate management of the risks and liabilities from systems that will fail.
Doing Battle with the Bug
The obvious need to ensure that computer systems will function properly in the year 2000 has been addressed extensively in the media. This article will focus instead on the legal ramifications of the failure of an outside vendor, supplier, or customer to perform their obligations as well as the legal risks of Y2K compliance strategies.
Preparation for an External Infestation
Despite appropriate preparation for internal Y2K problems, an institution could still lose productivity when less conscientious business counterparties experience such problems. Though not responsible for others' problems, an institution remains responsible to its customers. Every effort must be made to ensure that any liability for injury to customers can be passed on to the party who caused the injury.
Business counterparties might cause a loss of productivity in two ways. First, important information could be lost when transmissions from another institution containing erroneous data either corrupt an internal system or cannot be used or interpreted by systems. Second, important products and services provided by outside firms can be delayed or mishandled because of the firm's own Y2K problems. The loss of information, products or services could prevent an institution from carrying on it's own business.
Guarding Against Bug Bites
From the standpoint of risk management, the most important thing to remember is that some systems will fail, and the risk of losing productivity and incurring liability cannot be completely removed. To address this issue, many institutions have begun to obtain written assurances from all current vendors and service providers ensuring that they are addressing their individual Y2K problems. When appropriately constructed, such assurances both guard against problems and allocate liability to the other party if their system is one that later fails.
For future contracts, inquiries should be made into vendors' and service providers' Y2K problems, and contract provisions should ensure that such parties bear the risk of Y2K related losses caused by their systems. Existing contracts should also be renegotiated when possible to include clauses formalizing assurances received from current vendors and service providers.
Software vendors represent a further problem. For example, if the vendor who created a software application refuses to fix the software's Y2K problems, or if the vendor will only fix the software after the original purchaser pays a significant additional fee, then the purchaser should be careful to address the problem in a way that preserves possible claims for damages. The vendor may or may not be responsible for damage caused by the software or for the expense of fixing the software. In each case, a proper paper trail should be developed to preserve claims against the vendor or to document steps taken by an institution to remedy problems for which it is responsible.
- De-Bugging Creditors
One of the most important issues in preparing lending institutions for Y2K involves expanding the due diligence required before credit committee approval. If the Millennium Bug causes serious productivity problems for a creditor, debt service may be affected. Inquiries into the possible susceptibility of creditors is a minimum requirement for due diligence, and the following additional steps will enhance the creditors position in the event of Y2K problems:
- Policies must be established to ensure legally adequate inquiry into the creditors' internal Y2K problems that could effect debt coverage.
- Inquiry findings should be formalized in the Representations and Warranties made by the creditor to the lender in any loan agreement.
- Events of Default under any loan agreement should be expanded to include unforeseen Y2K problems that have a material adverse effect on debt coverage.
- Affirmative Covenants should stipulate, to the extent possible, that the creditor properly insure itself against loss of productivity due to Y2K problems.
- Affirmative Covenants and previously negotiated operations contracts should impose duties on all current and future secondary contractors to deal with Y2K issues that may effect their ability to perform.
- Testing done on all facilities should include appropriate Y2K readiness tests that ensure new systems are able to process date information correctly.
- Contingency plans must be developed to compensate for communications, data processing and other computer failures that still may occur.
Careful Eradication Planning
An institution's response to Y2K inquiries by business counterparties as well as a lending institution's own strategies carried out internally can create liability risks if both are not managed carefully. Business counterparties will most likely solicit the same kind of assurances from a lending institution that the institution will solicit from them. Such assurances will carry with them similar kinds of legal ramifications and possible admissions of liability. Given the importance of these documents, such assurances must be crafted with the utmost care.
Institutions should pay particular attention to internal reports on their own Y2K problems and strategies that could be discoverable in future court proceedings. To prevent an incomplete or possibly misleading document from becoming the linchpin of an opposing party's lawsuit, institutions should work closely with legal counsel in drafting all internal Y2K documents.
Regulation of the Bug
In preparing Y2K strategies, lending institutions, since they are subject to government oversight and regulation, have to consider more than their shareholders and business partners. Though the FFIEC has taken the lead in formulating regulations and reviewing compliance, many other agencies are adopting a similarly active role in ensuring that institutions regulated by them take Y2K problems seriously. For example, the SEC will soon issue disclosure guidelines for publicly traded firms which mandate that information on Y2K problems be released.
Conclusion
As with all inescapable deadlines, January 1, 2000 is quickly approaching. To address the problem, many businesses are creating a haphazard paper storm of assurances and inquiries directed at all business counterparties. But indiscriminately throwing paper at the problem will not insulate an institution from the legal liabilities inevitably posed by the Millennium Bug. Y2K strategies must be focused, carefully designed, and comprehensive with respect to internal and external inquiries, responses, and agreements. When institutions appropriately prepare, the specter of disaster is reduced to another important risk factor successfully managed.
*Robert Benton was a 1998 summer associate in the New York office of Cadwalader.