Our Ref.: B9/39C

14 July 1999

The Chief Executive
All Authorized Institutions

Dear Sir/Madam:

Year 2000 Counterparty Assessment

We wrote on 7 October 1998 requiring your institution to identify, assess and establish risk controls with respect to Y2K risks posed by counterparties. To date, reports indicate that the majority of authorized institutions (AIs) are already at an advanced stage in their counterparty assessment. In the course of our on-site examinations, we have identified some areas of weakness in institutions' counterparty assessment. We have summarised our findings below and write to provide you with further specific suggestions to improve the effectiveness of your counterparty assessment.

What are the results of AIs' counterparty assessment so far?

Based on the formal statements, AIs have on average completed 96% of their counterparty assessment as at end-May 1999. Although a few AIs need more time to catch up with their progress, this is understandable given the extensive scope of Y2K counterparty assessment. In the recent round of on-site examinations on selected AIs, the HKMA has identified some weaknesses in their assessment process as follows:

• There are insufficient efforts to assess Y2K risks posed by issuers of debt securities. AIs' cash flow could be adversely affected if these issuers cannot make interest payments or cannot redeem the securities upon their maturity on Y2K-critical dates.

• Some AIs have not incorporated Y2K counterparty risks into their investment decisions and credit assessment (e.g. by incorporating provisions into contractual agreements requiring counterparties to disclose Y2K plans and provide periodic updates on Y2K progress).

• There are insufficient follow-up actions on counterparties who have not responded to AIs' Y2K questionnaire/request for information or whose response is unsatisfactory.

• The assessment efforts of AIs have mostly been concentrated on large corporates. While some AIs argue that small-to-medium sized enterprises (SMEs) are generally not IT-oriented and the associated Y2K counterparty risk is therefore less, there is no structured analysis available to substantiate the case. On the other hand, there are indications that the Y2K awareness and compliance progress of SMEs are likely to be behind that of large corporates. AIs might face substantial risks if a group of SMEs fail at the same time because of Y2K. Therefore, AIs should conduct assessment on the Y2K progress of at least a number of selected SMEs e.g. those who have responded poorly to the AI's request for Y2K information and those relying on IT systems support or having more complex IT systems.

The HKMA expects AIs to make improvements in the above areas, if they have not done so already. They should also make consolidated assessment of the potential impact of various counterparty risks and factor these potential risks into their overall liquidity, credit and operational risk management policies.

What measures should AIs adopt with respect to those counterparties who have not disclosed their Y2K compliance progress or whose progress is unsatisfactory?

While by no means comprehensive and exhaustive, the follow-up actions below should be considered by AIs:

• Proactively seeking information from problem counterparties through, for example, telephone contacts or even personal visits to problem counterparties, and maintaining periodic dialogue with counterparties on their Y2K compliance progress. Listed companies are required by regulation to report their Y2K compliance in their annual reports or financial disclosure statements. Some companies also put up their Y2K compliance progress on the Internet for public information.

• Conducting rigorous assessment of the potential impact if problem counterparties may subject the AIs concerned to significant liquidity, credit and operational risks. Appropriate risk controls measures should be developed in response to these risks. For example, AIs may consider:

• Establishing deadlines for the production of information by problem counterparties, and notifying that action might be taken if information is not forthcoming within a reasonable timeframe. If adjustments to credit facilities or settlement limits are being considered, the counterparties concerned should be given the opportunity to disclose additional information on their Y2K preparations and to propose other risk mitigation measures to forestall the need for reductions in credit and settlement limits. These mitigation measures may include third-party guarantee and placement of collateral which should help to mitigate increase in credit risks while avoiding shrinkage in available sources of funding.

• Rescheduling transactions with problem counterparties and maturities so that they do not fall on those Y2K-critical dates. AIs may also consider arranging high quality and liquid assets in place and entering into standby funding arrangements with other institutions in case there are unexpected funding needs on Y2K-critical dates.

What additional measures should AIs adopt to address overseas counterparty risks?

AIs may be subject to credit, liquidity and operational risks if their exposures are located in overseas countries whose key public infrastructure providers are not Y2K-compliant. Failure of infrastructures such as telecommunications and payment and settlement systems can in the worst case cause widespread systemic problems for organisations relying on their uninterrupted services. In particular, certain multinational banks in Hong Kong may be exposed to Y2K country risks when they rely on overseas funding and/or technology support, e.g. from their parent institutions and IT service bureaux. As a result, AIs may face increased risks when the public infrastructure providers on which their overseas counterparties depend encounter Y2K problems.

AIs which have significant overseas exposures should take adequate measures to assess and manage Y2K country risks. In general, they should:

• Assess the Y2K readiness of key infrastructures in countries to which they have major exposures e.g. power supply, telecommunications and payment and settlement systems. Many large banks with multinational operations possess the means and resources to gather information on individual country readiness. As regards small institutions which may not have such ready access to information, it is advisable for them to contact their counterparties
• directly to obtain more information on country readiness, as well as to refer to relevant country assessments by reputable international organisations such as Moody's, Gartner Group and Global 2000 Co-ordinating Group (this Group's country readiness assessment has not been formally published but the Hong Kong Association of Banks has circulated the Group's country assessment to its member institutions).

• Establish appropriate risk control measures such as those mentioned above in their liquidity, credit and operational risk management policies after they have evaluated their Y2K country risk exposures and perform periodic updates on the Y2K progress of each country concerned.

I trust that you will find the above suggestions useful. If there are any questions on the above, please contact Mr. Vincent Lee at 2878-1384.

c.c. Chairman, HKAB
        Chairman, DTCA
        Secretary for Financial Services (Attn: Miss Vivian Lau)