18 August 1999

The Chief Executive
All authorized institutions ("AIs")

Dear Sir/Madam,

Guidance Note on Year 2000 Contingency Planning No. 5/99
Data Backup for the Year 2000 ("Y2K") Problem

As the New Millennium draws closer, it will become increasingly important for AIs to convince their customers that records of account balances and other data will be protected against any Year 2000-related problems that might emerge. Customers will want to be reassured that their data are safe. In this connection, it is important that AIs should take rigorous steps to ensure sufficient backup of the records of customer data in preparing for the Y2K problem. Furthermore, adequate data backup, together with tested contingency plans, will help AIs resume their critical operations in the event of any system failures. The purpose of this Guidance Note is to provide AIs with some specific suggestions on this important issue.

The HKMA understands that it is already a normal daily routine for AIs to perform data backup of the critical data of their systems in removable media¹ and keep these backup data at remote locations. It is crucial that your institution reviews the adequacy of its existing data backup procedures and evaluates their continued effectiveness in the context of the Y2K problem. AIs should ensure that even in the event that their systems fail to operate, they can still retrieve the data from the backup copies. Notwithstanding these efforts, the HKMA considers that given the importance of this issue for public confidence, AIs should take extra care to ensure the integrity of customer data. The fact that 31 December 1999 is now a general holiday will enable this to be done and AIs are advised to take full advantage of this. In particular, the HKMA recommends AIs to consider the following specific suggestions.

Data backup around 1 January 2000

As 30 December 1999 is the last business day in 1999, AIs will generally perform the last day-end, month-end and year-end computer operations² in 1999 for the majority of their critical systems (including customer deposit systems) after the close of business on that day. AIs should perform data backup³ of the critical data of these systems after such operations and complete these backup tasks before the mid-night of 31 December 1999. AIs should produce at least two copies of each set of backup data to be kept at the computer operation centre and the backup site (or other remote locations) respectively.

The backup processes using the normal machine-readable media (CDs, tapes or removable discs) are essential for quick reconstruction of records and resumption of business if necessary. AIs should also verify before the millennium date change that data have been properly stored in the backup copies, by testing and confirming their retrievability. Given the additional buffer provided by the New Year Eve Holiday, AIs should, to the extent possible, print hard copies of all necessary reports including customers' data as an additional form of backup. The benefit of this is that customers are likely to feel more assured if they know that a hard copy of their data exists. This will also enable AIs to fall back on manual operations in the event of system failure.

We understand that it may be difficult for some AIs to print hard copies of all customer data, despite the holiday buffer. In such cases, consideration should be given to printing only highly critical data such as current and savings deposit account information (time deposits should already have some form of paper record in the hand of the customers), or alternatively make sure that critical data are copied onto a medium such as microfiche or CD-ROM in a format which could be readily read and printed.

The HKMA recognizes that some critical real-time systems will continue to operate during the changeover to 1 January 2000 (e.g., phone banking, ATM, credit cards authorisation, FX margin trading). For these systems, the HKMA understands that most banks have adopted the following methods to safeguard details of the transactions performed over these systems:

1. each transaction performed is recorded in the disk drive of the relevant production system, as well as in a "mirror disk drive" that maintains a real-time copy of data stored in the disk drive of the production system; for some institutions, additional mirror disk drives are installed at the remote backup sites so that such transactions can also be recorded simultaneously at the remote sites;

2. all on-line transactions are recorded in journals so that if the disk drive crashes, the journals can be used to re-apply the transactions to the last backup of the data and reconstruct the accurate positions immediately before the crash; and

3. hard copy records are available for some of these systems. For instance, each ATM machine normally contains a hardcopy journal for each transaction performed through the machine. Moreover, transactions raised for FX margin trading should be supported by paper tickets or vouchers raised on behalf of the customers.

AIs should consider adopting the above measures or any other equally effective measures to preserve data of the transactions performed over such real-time systems if they have not already done so. AIs should also consider performing an additional round of data backup on 31 December 1999 to capture transactions performed over these critical real-time systems since the last backup⁴. This will help minimise the time required to reconstruct records if necessary. This last round of backup should be scheduled carefully so that it is completed before midnight.

Data backup around other Y2K critical dates

AIs should also strengthen the data backup procedures and arrangements for other Y2K critical dates including the following :

• 8 September 1999
• 9 September 1999
• 3 January 2000
• 28 February 2000
• 29 February 2000

AIs should perform and complete the backup of the critical data, such as customer account information of deposit systems before midnight. In addition, AIs should have the more critical data written on removable electronic media in a flat file format as far as practicable, rather than printing on paper. AIs can print whatever they deem necessary after they have reached the safe point of having saved data to removable electronic media. However, as these dates pose relatively less risk to systems compared with the New Millennium itself and they are normal business days, AIs should take care that whatever extra measures they intend to adopt should not adversely affect their normal operations on the next business day.

Data retention arrangement

AIs should also consider the need to retain their data backup copies performed around Y2K critical periods. This would allow AIs to refer to the original data in the event that some Y2K problems emerge after the Y2K critical dates.

Testing of data backup procedures and arrangements

It is crucial that AIs should properly test their data backup procedures or arrangements before implementation. The objectives of the test should at least cover the following:

1. to validate that the data backup to be performed will provide adequate information for AIs to reconstruct the accurate positions of their assets and liabilities and their customer records under different scenarios of system failure;

2. to verify that the backup procedures and arrangements will be workable and reliable and that the data backup software, devices and storage media are free from Y2K problems, as far as practicable; and

3. to estimate the time required for completing different data backup processes including report printing so that these processes can be properly scheduled.

Moreover, AIs should arrange sufficient staffing and other resources, such as printers, storage media, devices, and other supplies required for implementing the data backup procedures and arrangements.

Protection of customer data as part of customer awareness programme

As protection of customer data is crucial to maintenance of customer confidence in an AI's preparedness for Y2K, it is important that the Y2K customer awareness programmes of AIs should incorporate this important element to promote the confidence of their customers that customer records will be safe. Clear information should be provided to customers in this respect and front line staff should be properly trained to answer customers' enquiries about your institution's record protection measures.

The HKMA will shortly conduct examinations on selected institutions to assess that they are taking adequate measures to determine that sufficient data backup will be maintained for the millennium change. Should you have any queries on this guidance note, please contact Mr. Brian Lee at 2878-1651 or Miss Florence To at 2878-1197.

1. Examples of removable media are computer tapes, cartridges, compact discs, diskettes, etc. separate from the computer systems.

2. These computer operations will normally cover various batch processes, such as processing of paper cheques drawn on customer current accounts, calculation of interest accrual, printing of various daily, monthly and yearly operational reports.

3. Apart from the file format adopted in normal data backup, AIs should perform additional backup for the more critical data in a flat file format as far as practicable so that the data can be read by other computers not equipped with the original software.

4. If the services of the real-time systems have to be temporarily suspended when this additional round of data backup is being performed, it might be possible that some customers would interpret the unavailability of services as a Y2K problem during that sensitive period. AIs should therefore consider carefully whether the benefits of such backup would outweigh the possible adverse reaction of customers.