User issues "VMSECURE MAINT PASSWORD" but violates a password length rule on the first try. They correct their error, but on the 2nd try the date check (we don't allow changing password 2 times the same day) fails because the NPASS EXEC is fed the current date as if the failed change actually worked. 

User console: 
11:36:10 VMXMAI0372R Select and enter a new password for your userid : 
11:36:18 VMXMAI0373R Please enter the same new password once again : 
11:36:24 VMXMAI0383I From exit: Rejected: Minimum password length is 15 characters. 
11:36:24 VMXMAI0372R Select and enter a new password for your userid : 
11:36:42 VMXMAI0373R Please enter the same new password once again : 
11:36:53 VMXMAI0383I From exit: Rejected: The password has already been changed today. 

VMSECURE CONSOLE with DEBUG flag on NPASS EXEC: 
invokee = AAAAAA 
newpw = LN:ZVN09FABGQ 
oldpw = XO0;!UPAC7G<*7I$ 
olddate = 18/09/10 
pw.1 = ME13pt@$tryit 
pw.2 = 032=JV9B:--W!LJ 
pw.3 = 032=JV9B:--W!LJ 
Password not at least 15 characters 
PASSWORD UserExit is NPASS 
invokee = AAAAAA 
newpw = LN:ZVN09A063J<RCA3%2J% 
oldpw = XO0;!UPAC7G<*7I$ 
olddate = 18/09/12 
pw.1 = ME13pt@$thisshouldwork 
pw.2 = 032=JV9B:--W!LJ 
pw.3 = 032=JV9B:--W!LJ 
Password changed once today already 
PASSWORD UserExit is NPASS 

NPASS uses your sample 'nextToken()' to fetch the args. The exec's date check is just "If olddate = date('ordered')" but as you can see from the VMSECURE console the last changed date is updated to today even though they change failed. 

Also, if the user aborts and tries again, and doesn't make any mistakes then the change is accepted. This is because the "*PW=yy/mm/dd" is still unchanged.