party suppliers regarding their ability to renovate timely and effectively external mission-critical systems that are not Year 2000 ready; and

3. Develop in writing an ongoing due diligence process to monitor and evaluate the efforts of external third party suppliers to achieve Year 2000 readiness, including:

a. monitoring the efforts of external third party suppliers to achieve Year 2000 readiness on at least a quarterly basis and documenting communications with these suppliers; and

b. reviewing the insured depository institution's contractual arrangements with external third party suppliers to determine the parties' rights and obligations to achieve Year 2000 readiness.

D. Testing of Mission-Critical Systems. Each insured depository institution shall:

1. Develop and implement an effective written testing plan for both internal and external systems. Such a plan shall include the testing environment, testing methodology, testing schedules, budget projections, participants to be involved in testing, and the critical dates to be tested to achieve Year 2000 readiness;

2. Verify the adequacy of the testing process and validate the results of the tests with the assistance of the project manager responsible for Year 2000 readiness, the owner of the system tested, and an objective independent party (such as an auditor, a consultant, or a qualified individual from within or outside of the insured depository institution who is independent of the process under review);

3. Substantially complete testing of internal mission-critical systems by December 31, 1998;

4. Commence testing of external missioncritical systems by January 1, 1999;

5. Substantially complete testing of external mission-critical systems by March 31, 1999;

6. Commence testing with other material third parties by March 31, 1999; and

7. Complete testing of all mission-critical systems by June 30, 1999.

E. Business Resumption Contingency Planning. Each insured depository institution shall develop and implement an effective written business resumption contingency plan that, at a minimum:

1. Defines scenarios for mission-critical systems failing to achieve Year 2000 readi

ness;

2. Evaluates options and selects a reasonable contingency strategy for those systems; 3. Provides for the periodic testing of the business resumption contingency plan; and

4. Provides for independent testing of the business resumption contingency plan by an objective independent party, such as an auditor, consultant, or qualified individual from another area of the insured depository insti

tution who was not involved in the formulation of the business resumption contingency plan.

F. Remediation Contingency Planning. Each insured depository institution that has failed to successfully complete renovation, testing, and implementation of a mission-critical system, or is in the process of remediation and is not on schedule with the key dates in section II.D, shall develop and implement an effective written remediation contingency plan that, at a minimum:

1. Outlines the alternatives available if remediation efforts are not successful, including the availability of alternative external third party suppliers, and selects a reasonable contingency strategy; and

2. Establishes trigger dates for activating the remediation contingency plan, taking into account the time necessary to convert to alternative external third party suppliers or to complete any other selected strategy.

G. Customer Risk. Each insured depository institution shall develop and implement a written due diligence process that:

1. Identifies customers, including fund providers, fund takers, and capital market/asset management counterparties, that represent material risk exposure to the institution;

2. Evaluates their Year 2000 preparedness; 3. Assesses their existing and potential Year 2000 risk to the institution; and 4. Implements appropriate risk controls, including controls for underwriting risk, to manage and mitigate their Year 2000 risk to the institution.

H. Involvement of the Board of Directors and Management.

1. During all stages of the renovation, testing, and contingency planning process, the board of directors and management of each insured depository institution shall:

a. be actively involved in managing efforts to plan, allocate resources, and monitor progress towards attaining Year 2000 readiness;

b. oversee the efforts of the insured depository institution to achieve Year 2000 readiness and allocate sufficient resources to resolve problems relating to the institution's Year 2000 readiness; and

c. evaluate the Year 2000 risk associated with any strategic business initiatives contemplated by the insured depository institution, including mergers and acquisitions, major systems development, corporate alliances, and system interdependencies.

2. In addition, the board of directors, at a minimum, shall require from management, and management shall provide to the board of directors, written status reports, at least quarterly and as otherwise appropriate to keep the directorate fully informed, of the insured depository institution's efforts in achieving Year 2000 readiness. Such written status reports shall, at a minimum, include:

a. The overall progress of the insured depository institution's efforts in achieving Year 2000 readiness;

b. The insured depository institution's interim progress in renovating, validating, and contingency planning measured against the insured depository institution's Year 2000 project plan as adopted under section II.A.5. of appendix B;

c. The status of efforts by key external third party suppliers and other material third parties in achieving Year 2000 readiness;

d. The results of the testing process;

e. The status of contingency planning efforts; and

f. The status of the ongoing assessment of customer risk.

APPENDIX A TO PART 31— INTERPRETATIONS

Section 1. Loans Secured by Stock or
Obligations of an Affiliate

A bank that makes a loan to an unaffiliated third party may take a security interest in securities of an affiliate as collateral for the loan without the loan being deemed a "covered transaction" under section 23A of the Federal Reserve Act (12 U.S.C. 371c) if:

a. The borrower provides additional collateral that, taken alone, meets or exceeds the collateral requirements specified in section 23A(c) (12 U.S.C. 371c(c)); and

b. The loan proceeds:

1. Are not used to purchase the bank affiliate's securities that serve as collateral; and 2. Are not otherwise used for the benefit of, or transferred to, any affiliate.

Section 2. Deposits Between Affiliated Banks a. General rule. The OCC considers a deposit made by a bank in an affiliated bank to be a loan or extension of credit to the affiliate under 12 U.S.C. 371c. These deposits must be secured in accordance with 12 U.S.C. 371c(c). However, a national bank may not pledge assets to secure private deposits unless otherwise permitted by law (see, e.g., 12 U.S.C. 90 (permitting collateralization of deposits of public funds); 12 U.S.C. 92a (trust funds); and 25 U.S.C. 156 and 162a (Native American funds)). Thus, unless one of the exceptions to 12 U.S.C. 371c noted in paragraph b. of this interpretation applies or unless another exception applies that enables a bank to meet the collateral requirements of 12 U.S.C. 371c(c), a national bank may not:

1. Make a deposit in an affiliated national bank;

2. Make a deposit in an affiliated Statechartered bank unless the affiliated Statechartered bank can legally offer collateral for the deposit in conformance with applicable State law and 12 U.S.C. 371c; or

3. Receive deposits from an affiliated bank. b. Exceptions. The restrictions of 12 U.S.C. 371c (other than 12 U.S.C. 371c(a)(4), which requires affiliate transactions to be consistent with safe and sound banking practices) do not apply to deposits:

1. Made in the ordinary course of correspondent business; or

2. Made in an affiliate that qualifies as a "sister bank" under 12 U.S.C. 371c(d)(1). [61 FR 54536, Oct. 21, 1996]

APPENDIX B TO PART 31-COMPARISON OF SELECTED PROVISIONS OF PART 31 AND PART 32 (AS OF OCTOBER 1, 1996)

NOTE: Even though part 31 now simply requires that national banks comply with the

insider lending provisions contained in Regulation O (Reg. O) (12 CFR part 215), the chart in this appendix refers to part 31 because Reg. O is a Federal Reserve Board regulation

and part 31 is the means by which several provisions of Reg. O are made applicable to national banks and their insiders.