Notice to Members 99-13

NASD Alerts MembersTo Year 2000 Mandatory Testing Activities

Published Date:

SUGGESTED ROUTING
Senior Management
Advertising
Continuing Education
Corporate Finance
Executive Representatives
Government Securities
Institutional
Insurance
Internal Audit
Legal & Compliance
Municipal
 Mutual Fund
Operations
Options
Registered Representatives
Registration
Research
Syndicate
Systems
Trading
Training
Variable Contracts

Executive Summary

On December 3, 1998, the Securities and Exchange Commission (SEC) approved NASD Rule 3410 (Rule or Year 2000 Mandatory Testing Rule), which "establish[es] the NASD's specific authority to require certain members to participate in Year 2000 tests and to require reporting on the tests."

The National Association of Securities Dealers, Inc. (NASD®) is mandating Year 2000 testing to ensure that all NASD member firms have completed appropriate levels of testing in the interests of investor protection and market integrity. The Year 2000 Mandatory Testing Program is designed to mitigate the risk of disruptions on and after January 1, 2000.

The purpose of this Notice is to alert NASD member firms about the mandatory testing requirements, to help members locate further information about specific testing requirements, and to answer some frequently asked questions about Year 2000 testing. A list of frequently asked questions is included at the end of this Notice.

Questions concerning this Notice may be directed to the NASD Year 2000 Program Office at (888) 227-1330.

Background

The NASD Year 2000 Mandatory Testing Rule requires NASD members that are clearing firms, Market Makers, and government securities firms to "conduct or participate in such testing of computer systems as the Association may prescribe." Pursuant to this Rule, selected broker/dealers must test missioncritical systems that have electronic interfaces with the NASD, exchanges, clearing corporations, or service providers. More specifically, the NASD is mandating four different kinds of testing: (1) Securities Industry Association (SIA) Industry Cycle Testing, (2) Critical Service Bureau interface testing, (3) Nasdaq Stock Market interface testing, and (4) NASD Regulation application interface testing (Central Registration Depository - CRDSM - system). Each one of these categories is described in more detail below.

Mandated Firm Information

Each NASD member that is required to conduct Year 2000 tests pursuant to NASD Rule 3410 will be listed on the SIA Web Site (www.siay2k.com). This Site allows member firms to see all testing mandates from the NASD and any other self-regulatory organization (SRO). As you will see on the SIA Web Site, each SRO is mandating some form of Year 2000 testing; therefore, some NASD members (i.e., those NASD members that are also members of other SROs) will be subject to more than one SRO's mandatory testing rule. It is incumbent upon the NASD members selected to test to review the information available at this Site since the NASD Year 2000 Mandatory Testing Rule may mandate different tests than are required by other SROs. This information will be updated if testing mandates are revised during the testing periods. The SIA will keep this information current. If you have any questions regarding your firm's specific testing obligations, you should contact each SRO in which your firm is a member.

SIA Industry Cycle Testing. The SIA Industry Cycle Test is a coordinated, four-date test that simulates a trading cycle (i.e., the executing, clearing, and settlement processes) crossing over the Year 2000 date change. The Industry Cycle Test is scheduled to occur over a four-weekend period (3/6/99, 3/13/99, 3/27/99, and 4/10/99) and will test predetermined Year 2000 critical dates (12/29/99, 12/30/99, 12/31/99, and 1/3/00). There is an additional weekend testing date for both mutual funds and options dealers. Mutual funds must also test on 4/17/99 (with a system date of 1/4/00) and options dealers must test on 4/24/99 (with a system date of 1/22/00). The Industry Cycle Test allows firms to test systems' functionality by executing, clearing, and settling trades with the participating exchanges and clearing corporations. Mandated firms should already have registered for Industry Cycle Tests and performed all prerequisite point-to-point testing—meaning testing between two parties. To schedule participation in the Industry Cycle Test, contact the SIA at (888) Y2K-4SIA (888-925-4742).

Mandate Summary: Mandated to test are NASD firms that are participants of the National Securities Clearing Corporation (NSCC), either directly or through service bureaus. The clearing firms mandated to participate in this testing all clear at least an average of 30 trades per day based on 1998 fourth quarter statistics.

Critical Service Bureau Interface

Testing. Many broker/dealers use service providers for some critical functions (i.e., clearing, trade data, and news). Testing with any critical third-party service provider is generally considered an "appropriate business practice."

Mandate Summary:

  • Service Bureaus: All NASD clearing firms, Market Makers, and government securities firms are mandated to test their connections with critical service bureaus.


  • Member firms that clear for others: All NASD firms that clear for others are mandated to test with any firm for which they provide this service if that firm wishes to execute such testing in order to satisfy its efforts to prepare its business for the Year 2000 transition. Proxy testing may apply at the discretion of both parties.

Nasdaq Stock Market Interface Testing. Testing with The Nasdaq Stock Market® is considered point-topoint testing. Point-to-point tests are date tests in a Year 2000 environment (e.g., 1/3/2000). These tests are used to verify that firms can communicate with a particular exchange or clearing corporation, or between firms using communication lines (e.g., production or test lines, as mandated by the particular exchange or clearing corporation). These tests must be coordinated and scheduled between the testing parties (e.g., between Nasdaq and a clearing firm).

Mandate Summary:

  • Computer-To-Computer Interface (CTCI): Testing is mandated for all NASD clearing firms and Market Makers that utilize this interface.


  • Application Programming Interface (API): Testing is mandated for all NASD clearing firms andMarket Makers that utilize this interface.


  • Nasdaq Workstation II (NWII): Testing is mandated, but proxy testing is acceptable for all clearing firms and Market Makers.

NASD Regulation Interface Testing—CRD. Testing with NASD RegulationSM applications is also considered point-to-point testing. The test will involve only certain aspects of the CRD system. Other NASD Regulation applications (such as FOCUS, Reg T., Blue Sheets, Shorts, OATSSM, Customer Complaints) will be available for voluntary testing from February through September 1999. While these applications are not mandatory, firms are urged to include applicable compliance applications in their testing programs. The NASD will schedule testing for these applications on a first-come, first-serve basis. NASD Regulation has published a "Product and Service" flyer, which is available on the NASDR Web Site (www.nasdr.com), that outlines testing availability for all compliance applications. To schedule a test, obtain test procedures, or to learn more about voluntary testing, call the Year 2000 Program Office at (888) 227-1330.

Mandate Summary:

  • CRD: Testing is mandated for all batch users of this system. Batch users are required to test all batch functions and the Firm Access Query System (FAQS) that is part of the CRD application. The CRD system will be available beginning in May 1999.

Proxy Testing. See frequently asked question #7 on page 64.

Industry Coordination. The NASD is participating in an industry-wide effort led by the SEC to coordinate all Year 2000 mandatory testing. The NASD will exchange testing reports with other SROs and use this information to monitor firm participation in any mandated tests. Firms designated to participate in mandatory testing that fail to test will be subject to NASD disciplinary actions.

Exemptions From Mandate. Requests for exemptions from the NASD testing mandate should be made in writing and forwarded to the NASD Year 2000 Program Office at 15201 Diamondback Drive, Rockville, MD 20850 by February 21, 1999. The request must be signed by an officer of the organization. The NASD Year 2000 Program Office will review all requests and reply to each firm in writing.

Mandatory Testing Education

The SIA will hold a two-day conference in New York City at the Marriott Marquis on February 2 and 3 to provide further information on the Industry Cycle Testing. We encourage that firms mandated to test attend this SIA conference. The SIA registration information is available from the SIA at (888) Y2K-4SIA (888-925-4742), or on its Web Site.

Who To Call
Available Tests Contact Phone
Industry Cycle Test SIA Call Center (888) Y2K-4SIA
Nasdaq Nasdaq Test Scheduling (203) 385-4610
NASD Regulation NASD Regulation Test Scheduling (888) 227-1330, Option 3
Amex® Ed Cook (212) 306-1748
For more test scheduling contacts, check the SIA How to Test Guide at www.sia.com.

For general information on the NASD Year 2000 Program or to sign up for NASD-sponsored workshops on Mandatory Testing, call (888) 227-1330 and select Option 1.

Frequently Asked Questions

1. What is Point-to-Point Testing?

Connectivity/point-to-point tests are one-date tests in a Year 2000 environment (e.g., 1/3/2000). These tests are used to verify that firms can communicate with a particular exchange or clearing corporation, or between firms using communication lines (e.g., production or test lines, as mandated by the particular exchange or clearing corporation). These tests must be coordinated and scheduled between the testing parties.
2. What are Industry Cycle Tests?

The SIA Industry Cycle Test is a coordinated, four-date test that simulates a trading cycle (i.e., the executing, clearing, and settlement processes) crossing over the Year 2000 date change. The Industry Cycle Test is scheduled to occur over a four-weekend period (3/6/99, 3/13/99, 3/27/99, and 4/10/99), and will test predetermined Year 2000 critical dates (12/29/99, 12/30/99, 12/31/99, and 1/3/00). The Industry Cycle Test allows firms to execute, clear, and settle trades with the participating exchanges and clearing corporations to test systems' functionality. Participants must complete prerequisite testing prior to participation in the Industry Cycle Test. There is an additional weekend testing date for both mutual funds and options dealers. Mutual funds must also test on 4/17/99 (with a system date of 1/4/00) and options dealers must test on 4/24/99 (with a system date of 1/22/00).
3. If I have no external electronic interfaces, am I exempt from testing?

If a firm has no external electronic interfaces, it would not be able to participate in point-to-point or industry tests. However, as part of best business practices, firms still need to test their internal electronic systems. Member firms are reminded that testing of critical environmental systems, including security systems, HVAC, elevators, etc., also should be included in their overall Year 2000 project plan. If your firm is selected for testing and does not have any external electronic interfaces, you must notify NASD Year 2000 Membership Support Services and request to be exempted from the mandate. The NASD will review all requests and determine whether it is appropriate to start the request.
4. How do I register for industry testing?

If you do not have an SIA How to Test Guide, you may register for SIAsponsored tests by visiting the SIA Year 2000 Web Site at www.siay2k.com or call the SIA at (888) Y2K-4SIA (888-925-4742).
5. Whom do I contact to test NASD Regulation/Nasdaq applications?

For NASD Regulation applications, contact the NASD Testing Center Help Line at (888) 227-1330, Option 3. For Nasdaq application testing, the Nasdaq Testing Center may be contacted at (800) 288-3783. You will be able to schedule tests and receive testing specifications through these numbers.
6. Whom should I test with?

Member firms should conduct testing with any entity that has an external, electronic interface to the firm. For example, firms would want to test connections with correspondent clearing firms, banks, exchanges, and any other mission-critical service provider, if applicable. While the NASD Rule does not mandate testing with every organization that a firm might have an electronic connection to, as part of a firm's risk assessment, the firm should evaluate any potential risk that not testing an interface or connection might have to its business operation. Contingency plans should be developed for all tested and non-tested interfaces or connections.
7. What is the policy regarding proxy testing for firms that rely on service providers or software vendors for mission-critical products and services?

To the extent possible, firms should test their systems in their own environment. However, it is not always feasible for firms that rely on service providers (serviced firms) or software purchased from vendors (turnkey firms) to test in their own environment. For this reason, firms may rely on proxy tests conducted by service providers, as specified in the NASD Mandatory Testing requirements listed on the Internet (www.siay2k.com). Proxy testing is a term used to refer to testing that is conducted on like systems and with like interfaces for the purpose of not having to repeat identical tests that would provide the identical results. Firms utilizing the proxy should ensure that the proxy testing was conducted with a firm of similar complexity and size as their firm, using similar operating systems and software. Since the objective of every member is to conduct any testing and preparations necessary to transition its business, each member should evaluate and determine when and where proxy testing is appropriate for its organization and risk profile. Listed below are a few helpful hints that firms should consider when evaluating the applicability of proxy testing of mission-critical systems.

  • Proxy tests are conducted using the same version of Year 2000-ready software that is used to service the firm.


  • Proxy tests are conducted using the same hardware and operating systems that are used by the firm. Where there are differences, the firm should verify and document how the differences would affect processing.


  • For any customized software or services used, a firm should test relevant date-dependent functions. A firm also should test systems and interfaces under its direct control and those functions not covered in the proxy testing. These include items unique to the firm, as well as those for which there are an insufficient number of common users to develop acceptable proxy tests.
8. Should firms hire outside auditors or consultants to verify their testing processes?

Member firm management may use qualified independent internal parties or external parties to verify the testing process. If the firm lacks internal expertise, management should use other qualified professionals, such as management consultants or CPA firms, to provide an independent review. Verification of the testing process should involve the project manager, the owner or user of the system tested, and an objective independent party such as an auditor, consultant, or other qualified individual. This objective verification should ensure that the testing process is effective, that key dates are checked, and that any changes result in reliable information processing.
9. May a firm test its remediated mission-critical applications at a hot-site location (a disaster recovery site equipped with an appropriate computer and associated equipment)?

If a firm determines that the hardware and operating systems used at the hot site are the same as the hardware and operating systems (type and version) used in-house, then the firm may test at a hot site. If the hardware and operating systems are not the same as those used in-house, hot sites may be used if the firm can demonstrate that the differences will not cause future processing problems. The hardware and software (including interfaces) running at the hot site should be Year 2000-ready.
10. Can testing be eliminated if the software uses an eight-digit date field?

An eight-digit date field does not relieve firms, service providers, or software vendors from the need to test systems and applications or otherwise ensure that the firm's technical environment, including communications systems, software and hardware, are Year 2000-ready. The number of digits in a date field is not necessarily determinative of whether a system or application is Year 2000-ready. For example, data received from internal or external sources may not have an eight-digit date field, and, therefore, might not be compatible. The differences from incompatible date routines may not become apparent until testing is performed. Also, an eight-digit date field does not ensure accurate leap year processing. Another purpose of testing is to ensure that all date fields and date routines have been made Year 2000-ready. In addition, sometimes what appears to be an eight-digit date field is not. Users may be required to enter eight digits, but the software may be dropping the century indicators and processing using only the remaining six digits.
11. If a firm tested a particular software product in 1998 and receives an update to the product in 1999, does it need to test the updated version?

The following factors should be considered when determining whether an update, new release, or patch to a mission-critical software application or operating system should be re-tested thoroughly, partially, or not at all:

  • The firm should consult with its service provider or software vendor to identify the types of changes made, and the extent to which the service provider or software vendor has conducted internal testing before releasing the updated product or service.


  • If the changes do not affect date fields or date-related calculations, the firm may not have to test, other than to perform acceptance testing that would accompany the introduction of any software update, release, or patch; or new or updated operating system; and,


  • If the changes affect date fields or date-related calculations, the firm should ensure the new release, update, or patch is appropriately tested, and that the service provider or software vendor has adequately documented and warranted the specific testing performed to ensure continued Year 2000 readiness.
As the Year 2000 approaches, fir m s should carefully evaluate the benefit s and risks of installing new software, software upgrades, or operating system upgrades given the potential Year 2000 complications. For example, the SEC published and is imposing a moratorium on any new systems that had not been previously planned for by the SROs.
12. What testing documentation should firms retain?

Firms should retain appropriate documentation associated with Year 2000 efforts. Among others, regulators or self-regulators may request production of such documents to satisfy their review or examinations of data provided in any Form BD-Y2K filing or other Year 2000 disclosure document. Specifically, firms must be able to present sufficient documentation to enable examiners to perform comprehensive Year 2000 examinations. The documentation retained should enable regulatory staff to understand which tests were performed, which applications, systems, or hardware were tested, the results, and how the results were validated. Testing documentation may also assist firms in resolving issues that may occur after the century date change. The following list includes some of the testing documentation items that firms might consider retaining:

  • The organization's overall Year 2000 plan and its Year 2000 testing plan.


  • The types of tests performed (e.g., baseline, unit, regression) and a summary of the results.


  • The reason the firm chose the tests and how extensive those tests were.


  • The criteria used to determine whether an application or system is Year 2000-ready.


  • Plans for remediating and re-testing any computers, systems, or applications that failed Year 2000 tests.


  • The names of persons responsible for authorizing the testing plan and accepting testing results.


  • Communications with service providers and software vendors, including assurances regarding their service or product.


  • Any other documentation the fir m believes supports its decisions and conclusions, as well as its due diligence effort.