31-303 - System Changes for Market Participants after Completion of Year 2000 Testing [CSA - Rescinded]
In completing remediation and testing efforts to address the Year 2000 problem1,
1 For guidance, market participants are referred to the definition of "Year 2000 Problem" contained in National Instrument 33-106.
dealers, advisers and other market participants should consider implementing a moratorium on mission critical system changes at some point after their systems have been tested for Year 2000 compliance.
Market participants need to ensure the ongoing integrity of their internal systems once they have become Year 2000 compliant while at the same time ensuring that their systems meet the changing needs of their businesses. Market participants must also be able to place confidence in the results of Y2K testing by other participants, confidence that could be jeopardized by post-testing systems changes. A moratorium would help to minimize this risk of invalidating test results. Staff of the members of the Canadian Securities Administrators ("CSA staff") will monitor developments and concerns expressed by industry participants to assess whether voluntary adoption of such a moratorium is sufficient or whether a mandatory moratorium would be appropriate for certain market participants.
Many organizations currently implement an annual systems modification freeze for a short period just before and after their fiscal year end to ensure that nothing interferes with year end processing and the production of year end reports.
Some organizations have already announced publicly their decision to implement a freeze to address the added risk of Year 2000 compliance. For example, one major international broker announced in January 1999 that its freeze would go into effect in mid-October and extend into 2000. Other organizations are currently considering the period that their freeze should cover. However, it appears that many organizations implementing their freeze will do so beginning in late summer or during the fall.
Best Practice Guidelines
In light of the above, CSA staff recommend the following ‘best practice’ guidelines for market participants. The Appendix provides additional ‘best practices’ for system changes made within the framework of these guidelines:
- Market participants should consider introducing a moratorium on major upgrades to mission critical systems for a period extending from at least October 1, 1999 until the end of February 2000.
- System changes on mission critical systems should generally be limited to isolated changes for which there is a significant need (as opposed to normal maintenance or discretionary upgrades).
- Market participants should implement strong change control procedures, including a quality assurance function, for any system change to mission critical systems.
- Market participants should undergo the same Year 2000 certification for all system changes to mission critical systems that was used to ensure the initial Year 2000 system compliance.
To assist market participants, the CSA will not unnecessarily issue new requirements that involve significant system changes to mission critical systems during the voluntary moratorium period.
For further information, please contact:
Alberta Securities Commission
British Columbia Securities Commission
Ontario Securities Commission
Commission des valeurs mobilières du Québec
(514) 940-2199 ext. 4301
May 7, 1999
ENSURING ONGOING YEAR 2000 COMPLIANCE
If a change is made within the ‘best practices’ guidelines framework, market participants should follow the additional ‘best practices’ set forth below:
Systems management is responsible for ensuring that Year 2000 compliance is specifically stated in all new enhancement and development requests.
If Year 2000 compliance is not specifically stated, the request form should be altered and the users informed accordingly.
Analysts are responsible for ensuring that new or modified designs will be Year 2000 compliant.
Analysts are also responsible for ensuring that new designs are consistent with Year 2000 solutions used for existing applications.
Review of the design should be carried out by a quality assurance function or by one or more analysts who have not been involved in developing the new or modified design.
Programmers are responsible for ensuring that any new or modified code is Year 2000 compliant.
Programmers must also ensure new codes are consistent with Year 2000 solutions adopted for existing applications.
Testers are responsible for ensuring that new or modified codes are tested for Year 2000 compliance.
Testers must also ensure that new tests are consistent with Year 2000 tests already used for existing applications.
The level of testing that will be appropriate will depend in part on the ratio of cost of testing to cost of failure. This requires an analysis of the business risks associated with a failure (both for the individual participant and for the industry) and, if necessary, quantification of the costs.
Where time is limited, test scenarios should be prioritized so that areas of greatest business exposure and most likely incidence of Year 2000 problems are dealt with first.
Users are responsible for ensuring that new or modified applications are tested for Year 2000 compliance.
Users should focus tests on user scenarios and activities to establish a level of confidence in the system.
Users should sign-off that the modifications are Year 2000 compliant.
Good Practice for Procurement
New procurement requests and specifications to suppliers should state that the product must be Year 2000 compliant.
Supplier documentation (contract terms and conditions, warranties, and evidence of Year 2000 testing) should be assessed to establish the Year 2000 status of a product.
If the level of confidence on the Year 2000 compliance of a product is insufficient, additional Year 2000 testing of the product should be conducted.