April 24, 1998
BY OVERNIGHT MAIL
AND ELECTRONIC DELIVERY
Jonathan G. Katz, Secretary
Desk Officer for the Securities and Exchange Commission
Re: File No. S7-7-98
The Securities Industry Association ("SIA")
1
appreciates the opportunity to provide comment to the Securities and Exchange Commission ("SEC" or "Commission") regarding the Commission's Notice of Proposed Rule Relating to Reports to be Made by Certain Broker-Dealers Regarding Year 2000 Preparedness (the "Proposed Rule"). SIA enthusiastically supports the goals of the Proposed Rule, and is in favor of any reasonable measure which will heighten industry awareness and assist industry participants to manage and prevent Year 2000 problems. While supportive of the rule, SIA recommends a number of modifications which are designed to improve the industry's reporting of Year 2000 readiness, as discussed more thoroughly below.
It is by now indisputable that the Year 2000 problem is one of the most important issues facing government, virtually all businesses, including the financial services industry, and all manner of institutions worldwide. By all accounts, the Year 2000 challenge is a significant, global challenge which crosses all industry lines and will affect any company, social or government agency, institution, or individual using computers or other automated applications or systems to accomplish a task.
The securities industry has long appreciated the magnitude of this challenge. SIA itself began addressing the formidable task in 1995. With the generous and active participation of hundreds of senior industry executives, and scores of non-industry participants (such as exchanges, bank regulators, industry regulators, clearing entities, data processors, depositories and industry vendors), SIA has developed a comprehensive program to assist the broker-dealer community to prepare for the millennium change. As the SEC is aware -- through its periodic meetings with SIA representatives and the mutually cooperative nature of the SEC-SIA relationship -- SIA's Year 2000 Steering Committee guides the efforts of the various industry segments working on Year 2000 issues. These segments include:
(3) An industry-wide testing program, developed jointly by securities firms, exchanges, clearing and depository organizations and market data providers, to test all major products from order entry to settlement. The program features a "beta test" in July 1998 and a full industry-wide test in March 1999, as well as a joint testing program with the New York Federal Reserve Bank and Clearing House to test payment systems.
(4) A third-party provider program to facilitate a dialogue between securities firms and the most important providers of hardware, software, data services and facilities, including telecommunications and power.
(5) An international program designed to address key international markets and participants in coordination with the effort in this country.
(6) Development of industry-wide contingency plans and support for firm-specific contingency plans to address potential Year 2000 problems as they occur.
(7) A Legal and Regulatory Subcommittee to address the many legal issues which surround Year 2000 remediation, and to advise the operating committees on legal risks and alternatives.
(8) An external communications program to inform legislators, regulators, the media, issuers and investors of the status of the industry's Year 2000 readiness programs.
The securities industry is thoughtfully and diligently addressing Year 2000 issues. Indeed, SIA has estimated that the financial services industry will spend between $4 and $6 billion over the next three years modifying their computer systems to handle the conversion to the Year 2000. As Chairman Arthur Levitt noted in his July 30, 1997 testimony to Congress,
SIA and the SEC have worked together in a constructive manner on Year 2000 issues over the past year and we expect that relationship to continue.
B. SIA Supports the SEC Rule Proposal, but
Recommends a Number of Modifications, to
Improve Industry Reporting of Year 2000 Readiness
As Chairman Levitt has noted, SIA "is especially well-positioned to coordinate Year 2000 activities across its membership" (Levitt Testimony, p. 8). Through its industry-wide coordination efforts, SIA has gained a broad understanding of the complexity of the issues, as well as the practical challenges that face the firms. In voicing the following concerns, SIA intends
not
to criticize, but rather to elucidate issues which may pose stumbling blocks to the full, fair and accurate disclosure for which the Commission strives. It is in the same spirit of cooperation that SIA has been working with the Commission on the Year 2000 issues that the following comments are offered.
In our view, several of the requirements to be addressed in the Rule Proposal's First and Second Reports can be improved. Each will be discussed in turn below.
In this section, firms are being asked to detail their progress in six (6) delineated stages of preparation, most of which are reasonably crafted in the Proposed Rule. However, two of the stages listed in the Proposed Rule should be modified. They are the portions that call for a report on "internal testing of software designed to avoid Year 2000 Problems, including
the number and nature of the exceptions resulting from such testing
" (subpart (iv)) and "integrated or industry-wide testing of software designed to avoid Year 2000 Problems . . . including
the number and nature of the exceptions resulting from such testing
." (subpart (v)) (Emphasis supplied.)
The process of testing software, whether on an industry-wide or internal basis, is a dynamic process. In many instances, the testing of a given system is a running project, in which error or exception reports may be generated hourly, daily, weekly or at some other periodic time interval. Depending on the nature of the particular system being assessed, a problem may be addressed immediately, if it is one that is easily solvable, or may last longer, if the problem is more difficult to fix or is intertwined with other systems. Other times, new problems may emerge when old problems are fixed. Thus, an error report issued at any one point in time is meaningless in terms of the firm's overall efforts to address Year 2000 computer issues.
A simple deletion of the underscored phrases would accomplish this goal and would not diminish the Commission's objective of receiving detailed progress reports in several areas. It would, however, eliminate the need to produce reports which, by the time of their production, have long since become obsolete and, in any event, are not reflective of the current status of the project. Alternatively, the rule could ask for reporting of the number and nature of "
material
" exceptions resulting from testing. If this modification were made, SIA recommends that the Commission establish a materiality threshold for determining whether a testing exception needs to be reported, with a provision that such threshold should be determined by the judgment of the firm doing the reporting.
Also problematic is subpart (vi), which asks firms to report on their current progress in the "implementation of tested software that
will avoid
Year 2000 Problems." We agree that requiring a firm to report on its current progress in testing is an excellent approach. However, the use of the phrase "will avoid" in this subpart is problematic insofar as tests can confirm certain variables but cannot necessarily assure that all manner of Year 2000 Problems will be avoided in their entirety. This is especially true where a firm's systems interact with those of a third party. All that can be expected of firms is that they are engaged in an iterative remediation and testing process of systems in which they, in the best judgment of their technologically proficient employees or consultants, believe a problem is likely to occur.
This defect can be cured simply by replacing the words "will avoid" with the words "is designed to avoid," a phrase which is not only more realistic but also consistent with the Commission's own proposed language, as in the other subparts in this section of the Proposed Rule.
One alternative which might accomplish the Commission's objective would be to reformulate this request to ascertain the status of the firms' efforts to determine whether their major vendors are, or will be, compliant and for those that are not, whether alternative sources or avenues are being considered. In some cases, it should be recognized that alternatives are limited. While we endorse the concept that firms should be considering and developing plans to account for the innumerable failures that could potentially occur, it is unrealistic to expect them to develop a comprehensive and all-inclusive plan which will cover all internal and external contingencies.
SIA recommends that the underscored language be modified to read "an estimate of the percentage of time that key Year 2000 project managers spend on Year 2000 issues."
C. SIA Supports the Concept of an Accountants' Report but Believes the Requirement
As Proposed Should Be Modified
The Proposed Rule provides that broker-dealers file, with the second of the two reports, an attestation from an independent public accountant. This attestation would take the form of a letter that would give an accountant's opinion as to whether there is a reasonable basis for the assertions made by the broker-dealer in the second report, regarding seven (7) areas specified in the Proposed Rule. SIA defers to the comments made in the letter filed by the American Institute of Certified Public Accountants ("AICPA"), dated April 13, 1998, as to the feasibility and efficacy of an accountants' report as well as any appropriate alternatives.
The Proposed Rule correctly recognizes that collecting the information to generate the reports is itself a costly proposition. As noted in the Proposed Rule, the report of the public accountants will require the expenditure of significant fees in excess of those typically paid for the firms' annual audit. While no empirical data exists to support or contradict the Commission's dollar estimates, several persons familiar with the costs of retaining an accountant and who have analyzed the scope of what the accountants would be asked to do, generally believe that the Commission's estimates vastly miss the mark. SIA defers to the views and cost estimates of the AICPA on this issue.
As a general matter, SIA suggests that the public accountant's reports parallel the areas to be addressed by the firms in the Second Report. In the SEC proposal, as currently drafted, accountants are being asked to attest to matters on which the firms have not even reported. This would require independent assessments of firm procedures, processes, testing plans, etc., which would pose unworkable hurdles to the rendering of the accountant's report on any reasonable cost basis. It would seem to make more sense for the firms to first prepare their Second Report covering the areas enumerated in the Rule in its final form. Those reports would then be furnished to the accountant or auditor for their review as to the reasonableness of the statements made. If different areas are to be covered in the accountant's report, this logical process would not work.
As for the substance of the particular areas which the Commission deems appropriate for an accountant's report, there are several that pose some dangers the Commission may wish to consider. In general, the Commission should consider, for instance, the ramifications of expecting an accountant to assess whether a given remediation plan is adequate to address the problems associated with the Year 2000 date change. In order to accomplish this, an accountant (a) would need highly specific technological and Year 2000 expertise in order to adjudge the adequacy of the plans in place, and (b) would have to be intimately familiar with all aspects of the individual firm's computer systems. SIA does not believe that any accounting firm is capable of this attestation at any cost.
Moreover, the timing associated with the reports does not logically coincide with the industry-wide testing schedule, which is to take place in 1999. For instance, the Proposed Report due at year end 1998 will not reflect the firms' participation in, or the results for the firm of, the industry-wide test. Although the industry-wide test has been commended by Chairman Levitt and many other regulators as an essential part of a firm's remediation efforts, it is -- by design and necessity -- limited in scope and in the type of problems it can or will uncover. Neither participation in that test, or successful completion thereof, is a guarantee that any given computer system will be problem-free.
3
Rather than require an attestation that a firm's systems are "ready" for Year 2000, it would be more appropriate and valuable to ask accountants to confirm that a firm's on-going remediation plan and processes are reasonable.
One final note on the accountant's attestation requirement. In the Proposed Rule, the Commission seeks comment on whether the attestation should be prepared by the same independent public accountant who prepares the annual audit of the broker-dealer's 1998 fiscal year-end financial statements. The decision as to who a firm hires for this audit should be left to the firm's discretion. There may be many reasons that factor into a decision of which accountant to hire, not the least of which are whether a firm's usual accountant has sufficient Year 2000 expertise or awareness or, conversely, whether an accounting firm with Year 2000 expertise is familiar enough with the firm's operations to make an audit in this context cost effective. In either event, imposing restrictions on the process by which a firm chooses to retain an accountant would be an unwarranted intrusion into the firm's business.
D. The Commission's Goals in Fostering Public Awareness Can be Accomplished by
Encouraging Material Year 2000 Disclosure Within the Existing Reporting Framework and
Therefore, the Proposed Reports and Accountant's
Report Need Not be Publicly Available
SIA endorses the general view that the securities industry -- and in fact, all industries -- should responsibly and publicly report its general state of Year 2000 readiness. There is, however, an existing reporting framework established by the Commission in which such public disclosure is already to be made.
In the Commission's Staff Legal Bulletin No. 5, revised January 12, 1998, for instance, the Commission thoughtfully, and we think appropriately, provided guidance to firms as to when and whether a firm's Year 2000 readiness may be deemed to "materially" effect the companies business and operations. In Staff Bulletin No. 5, the Commission covered many of the areas which are encompassed in the current Proposed Rule. Indeed, the Commission noted in the Bulletin that a "company's costs and uncertainties will depend on a number of factors" associated with Year 2000 and that "[c]ompanies also must coordinate with other entities with which they electronically interact . . ." The Commission staff notes further that "[i]f a company does not successfully address its Year 2000 issues, it may face material adverse consequences." The Staff Bulletin goes on to set forth several areas which firms should consider in making their materiality determinations (
see
sections of the Staff Bulletin entitled "Management's Discussion and Analysis of Financial Condition and Results of Operations" and "Specific Disclosure Considerations," among others).
The existence of this framework, the guidance from the Commission and its ability to further guide the industry on circumstances it deems to be "material" in the context of all public disclosure, all obviate the need to make the subject Reports publicly available. Moreover, the Proposed Rule's goals will not be compromised by such a plan. Indeed, among the espoused purposes of the Proposed Rule are to "inform the Commission of the preparations broker-dealers . . . are taking to avoid Year 2000 Problems" and to "help broker-dealers understand that they should be taking steps now to avoid Year 2000 problems." These purposes will not be served by permitting public access to the sensitive information contained in these reports. The Commission will be no more informed about the preparedness of the industry if the report is publicly accessible. Similarly, firms will no better understand the problems and tasks that await them if the report is publicly available.
Moreover, the Commission runs the serious risk that candor by the firms will be deterred if firms perceive that every statement will be scrutinized by the public. This raises the risk of unwarranted exposure to premature and meritless litigation at a time when firms should be focused on locating problems in, and fixing, their computer systems. Even good faith statements made now can be seized upon and used against a firm if and when a computer failure occurs, forcing firms to be more cautious in the public statements they make now. It is not insignificant that the plaintiffs' bar has unabashedly put the business world on notice that any failure or default caused by the millennium bug will result in massive shareholder class action suits and other suits already filed.
Both the Securities Exchange Act and the Freedom of Information Act, 5 U.S.C. §552
et seq
. ("FOIA") exemptions provide the Commission with the authority to keep information from being released to the public at large. For instance, under §17(h)(3) and (5) of the Securities and Exchange Act of 1934, the Risk Assessment Rules, disclosure of information provided to the Commission, without the prior written approval of said agency, is prohibited. The statute further provides that nothing in the statute shall be construed to "authorize the Commission to withhold information from Congress, or prevent the Commission from complying with a request for information from any other Federal department or agency . . . " The same scheme would work here. Since the Commission's espoused aim is to collect this information to assist the firms and Congress in assessing the state of affairs, the same type of provision could apply.
Similarly, FOIA protects from disclosure those matters that are "contained in or related to examination, operating, or condition reports prepared by, or on behalf of, or for the use of, an agency responsible for the regulation or supervision of financial institutions." 5 U.S.C. §552(b)(8);
see also
17 C.F.R. §200.80. According to the D.C. District Court, securities exchanges are financial institutions within the meaning of the statute
. Mermelstein v. Securities and Exchange Commission
, 629 F. Supp. 672, 673 (1986). The two reports outlined in the Proposed Rule fall squarely within any common sense definition of an "operating" or "condition" report since the information sought -- at two distinct points in time between now and January 1, 2000 -- is directly reflective of the condition of the firm's remediation efforts and the status of its operations in this regard. Just as the subject report in
Mermelstein v. SEC
was part of the Boston Stock Exchange's inquiry into the status of the operations of one of its members, the Reports required by the Proposed Rule should similarly be deemed part of the SEC's inquiry into a firm's operations, and therefore protected from public scrutiny.
A close analogy may be drawn between the substance of the reports at issue here, and those which are furnished to the exchanges when a merger is proposed. By way of example, when two New York Stock Exchange firms plan to merge, they are required to file with the Exchange, a systems and operations integration report which essentially describes how the two firms' systems will function together.
See
NYSE Information Memo, No. 80-56 (Nov. 24, 1980). In accordance with NYSE policy, these detailed reports are not available to the public. The reports to be prepared pursuant to the Proposed Rule contain equally sensitive, proprietary and in some respects, competitive, information. For all the same reasons, they should be afforded the same confidential treatment.
The Commission is seeking to increase its own awareness of the industry's preparedness efforts, and ultimately, Congress' awareness. By requiring firms to focus on the information requested in the two reports, firms will of necessity be encouraged to review their own remediation plans and processes. Armed with that information, Congress, the Commission and the industry can work together to minimize the potential for computer failure. This lofty goal and the complex process of creating workable solutions will not be served -- and potentially could be hampered -- if the reports are subject to public scrutiny.
Thus, SIA believes that the Commission's goal of assuring that the public is meaningfully apprised of a firm's Year 2000 efforts, is already served by other, existing public disclosure requirements.
On a general note, the Commission may wish to consider whether it would be sensible for firms that have multiple broker-dealers and transfer agents to be able to file a consolidated report. Such a provision would lessen the burden for firms that have several, separate legal entities which use same computer systems. In such an instance, a single report for the entire enterprise may be an attractive option for the firms, and a way to simplify matters for the Commission staff who will ultimately face the daunting challenge of reviewing the reports and synthesizing the information therein. On this note, SIA supports the suggestion of NASD Regulation that a defined format, rather than an open narrative, might be a more user-friendly format. (Of course, this endorsement would depend largely on the particular questions actually included on such a form.)
See
Letter of Elisse B. Walter to Jonathan Katz, dated April 16, 1998, and the sample reporting form attached thereto.
It is both commendable and, in some respects necessary, for the Commission to take a proactive role in monitoring the industry's efforts. SIA strongly supports the goals of the Proposed Rule as a means of increasing industry awareness and assisting industry participants to manage and prevent Year 2000 problems. The steps the Commission takes to do so, however, should be balanced against the need of the industry to devote its already taxed resources to completing the important tasks before it. The recommendations made above are designed to improve the effectiveness of industry Year 2000 reporting while mindful that firms should not be required to provide information that is either unnecessary to achieve the espoused goals of the Proposed Rule, or impractical for the firms to compile and furnish.
In the words of Chairman Levitt, "[t]he challenge of the millennium change for automated information processing is as formidable as any issue the securities industry has faced.
We share the Chairman's confidence and look forward to continuing our work with the Commission on achieving Year 2000 preparedness.
United States Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549
(via e-mail to: rulecomments@sec.gov).
Office of Information and Regulatory Affairs
Office of Management and Budget, Room 3208
New Executive Office Building
Washington, DC 20503
Proposed Rule Relating to Reports to be
Made by Certain Broker-Dealers
Regarding Year 2000 Preparedness
Dear Mr. Katz:
A. The Securities Industry is Well Aware of the Challenges Which Will Accompany the
Millennium Change and Has Been Diligently Working Toward a State of Readiness
(2) An industry awareness program including industry conferences, workshops, seminars and the SIA Year 2000 website (www.sia.com). The SIA held a Year 2000 conference in January 1998 at which over 900 attendees participated and will hold a second conference in October 1998. In March and April, SIA also participated in a joint SIA, DTC, NSCC "road show" which covered six cities in the U.S.
See
Testimony of Arthur Levitt Before the Subcommittee on Financial Services and Technology, Committee on Banking, Housing, and Urban Affairs, Concerning the Readiness of the United States Securities Industry and Public Companies to Meet the Information and Processing Challenges of the Year 2000 ("Levitt Testimony"), July 30, 1997, p. 2.
SIA supports what we believe to be the Commission's goal, that is, to ascertain the types and scope of the work being undertaken at the firms by various groups of employees or third parties to remediate their Year 2000 problems. However, as currently drafted, the underscored words seem to ask a firm to delineate the work that
each
individual has performed in connection with Year 2000 remediation. It would be an enormous undertaking, and one without particular benefit, to require firms to delineate the tasks undertaken and completed by each of the hundreds of individuals in the firms themselves and in the consulting firms many have hired to assist them. If the intention of the requirement is to elicit a general description of the types of work, and overall status of work, being done by Year 2000-designated personnel, we suggest the underscored language be changed to read "these groups of individuals."
SIA supports this requirement generally, but offers the following suggestion for its clarification and improvement.
SIA wholeheartedly agrees with the Commission's belief that contingency planning is a critical part of the planning process. SIA suggests, however, that this requirement be modified to reflect the reality that there are certain
external
events or failures which are not susceptible to a viable firm contingency plan.
See
Proposed Rule, Footnote 7, covering external interfaces. For instance, if a major exchange cannot accept orders on January 4, 2000, if a communications carrier fails on that day, or if a major third party provider falters, there may be little a firm can do by itself to plan for that event. SIA is working with the industry exchanges, clearing and depositories, as well as with the New York Federal Reserve Bank and major third party providers to develop industry-wide approaches to contingency plans.
While SIA supports the intention of this requirement, insofar as it is aimed at ascertaining the extent of management involvement in the remediation process, we suggest that the requirement for an estimation of the "percentage of time" spent by each individual of management be eliminated. As is particularly the case in the Year 2000 remediation process, which cuts across so many different areas, including operations, business, legal, compliance, global operations, attempting to assign a time estimate to any one task or responsibility is burdensome and not particularly meaningful. Moreover, the term "management" is somewhat amorphous, such that the inquiry may be subject to varying interpretations as to who should be included in the response, and, depending on that interpretation, could encompass thousands of people for the larger firms.
SIA believes this to be a reasonable area for an accountant's report, provided that it is not intended to have the accountant offer an opinion as to whether the written plan will avoid Year 2000 problems. Requiring an accountant to insure, in essence, that no problems will occur when the millennium changeover occur is not feasible. SIA does not believe that the Commission intended this. Rather, we believe the intention here was to ascertain whether proper or reasonable processes are in place to address the foreseeable problem areas in the firms' computer systems, without requiring any implicit guarantee as to actual success.
SIA is unsure of the intended scope of this request. However, it would be inappropriate to extend the rule to require an attestation relating to entities which are not subject to the Proposed Rule's reporting requirements.
The first two clauses of this item are appropriate areas for an accountant's report. However, the final clause, underscored above, would impose an impossible burden both on the firm and on the accountant. In fact, the very quandary faced by those working to remove Year 2000 bugs from their computer systems is whether the modifications made to the systems will in fact "correct Year 2000 Problems." By all accounts, Year 2000 problems may emerge in innumerable unforeseen areas. Uncovering such issues is one of the purposes of the street-wide testing planned for 1999. No matter how much preparation, testing or time is spent to foresee, locate and solve the problem, errors -- ranging from minor glitches to severe interruptions -- may occur. We question whether it can be determined in advance that any given auditor or accountant will have the requisite expertise to make such a representation. For these reasons, it is both impracticable and onerous, and would of course result in an exponential rise in accountant's fees, if accountants are asked to represent that a computer system has been corrected for Year 2000 problems.
For the reasons discussed above in Item (6), the above underscored clause is not an appropriate subject for an accountant's report. In addition to the concerns described above, requiring an accountant's report in the context of
industry-wide testing
, rather than internal testing, as in the previous item, is problematic for yet another reason. It is possible that the inclusion of this item reflects a simple misunderstanding of the nature and scope of the industry-wide testing which will begin in July 1998 and continue into 1999. Perhaps some explanation of that testing process is necessary. The industry-wide test has been designed to test a wide range of conditions but no test can identify all the possible problem areas that may lurk in the complicated computer systems which help the securities industry to function. It is also important to distinguish the industry-wide testing from the industry "beta" testing. SIA intends to report separately on the results of both the beta test and the industry-wide test.
E. Number and Format of Reports
. . . I am, however, confident that this industry, which has so successfully dealt with any number of serious obstacles in the past, will be well prepared to deal with this issue." Levitt Testimony,
p. 11.
cc: The Honorable Arthur Levitt, Chairman
The Honorable Paul Carey, Commissioner
The Honorable Isaac Hunt, Jr., Commissioner
The Honorable Norman Johnson, Commissioner
The Honorable Laura Unger, Commissioner
Richard Lindsay, Director, Division of Market Regulation
Michael Macchiaroli, Associate Director,
G:\USERS\LEGAL\SHARED2\Y2K Kittell 4-22.doc
1
The Securities Industry Association brings together the shared interests of nearly 800 securities firms, employing more than 380,000 individuals, to accomplish common goals. SIA members -- including investment banks, broker-dealers, and mutual fund companies -- are active in all markets and in all phases of corporate and public finance. The U.S. securities industry manages the accounts of more than 50-million investors directly and tens of millions of investors indirectly through corporate, thrift and pension plans and accounts for $270 billion of revenues in the U.S. economy. (More information about the SIA is available on its home page: http://www.sia.com.)
2
The Commission has also sought comment on the appropriate individual to sign the Reports. SIA suggests that any senior officer is an appropriate signatory, depending on the firm's organizational structure.
3
In fact, SIA's testing disclaimer reads: "The information contained in this SIA Year 2000 testing document is provided as is.' All warranties and representations of any kind with regard to such information are hereby disclaimed.
SIA's Year 2000 testing is a test of certain basic calculation and infrastructure functions for the Year 2000. Successful completion of SIA testing is not an indication of any party's complete Year 2000 readiness for compliance."
(Emphasis supplied.)