FINRA Rule 4370—Business Continuity Plans and Emergency Contact Information, is an item that can appear on the Series 24 and Series 99. We thought we would provide an overview here for you today.
The essence of this proactive rule is preparing for unpredictable events—requiring that a member implement and maintain a written and updated business continuity plan identifying reasonable procedures the member will take in responding to a significant business disruption (SBD) in meeting its obligation to customers, and communicating these procedures to these customers. The plan could include a statement that the member intends to stay in business, or discontinue business temporarily and for how long, or even go out of business permanently. A member stating in its plan that it might need to go out of business would be required to disclose to customers how it would afford them prompt access to their funds and securities under those circumstances.
Each member needs to conduct its own risk exposure analysis to determine specific vulnerability points not only within itself but also within firms it depends on to function, e.g., software suppliers and data backup. A senior management official who is also a registered principal must approve the plan. Procedures must be updated whenever there is a material change in the member’s business. There is also a requirement for an annual review.
The BCP must be tailored to the nature of its business—no one template fits all. The plan should take into account such considerations as size (one building with few employees or numerous buildings spread out over many states with a large number of employees?), location (hurricane or earthquake country?), type of business (introducing firm only or full-service?), and the businesses with which it has ongoing commercial relationships (e.g., counter-parties, banks, and vendors).
Disclosing how a firm intends to meet an emergency is an important requirement of the rule. Customers must be provided with enough information to make informed decisions about whether they want to do business with a firm. “Is this a firm I am comfortable enough with to handle my funds and securities now and in an emergency?”
Required Elements of the Plan
While the components of a BCP are flexible, there are 10 critical elements that must be addressed. If a member feels an element is not applicable to its business model, it need not address that category; however, it must document the rationale for not including it. Members that rely on another entity to address any of these elements are required to supply the details of this arrangement.
- Data Backup and Recovery—Hardcopy and Electronic
- All Mission Critical Systems
- Financial and Operational Assessments
- Alternate Communications between Customers and the Member
- Alternate Communications between the Member and Its Employees
- Alternate Physical Location of Employees
- Critical Business Constituent, Bank, and Counter-Party Impact
- Regulatory Reporting
- Communications with Regulators
- Assurance of Customers’ Access to Funds and Securities in the Event that the Member Is Unable to Continue Its Business
While Rule 4370 does not specifically require that a business plan be tested, it is the final step in assuring continuity of service to customers. It is through testing that we determine whether our plan is practical or theoretical, whether we are addressing our vulnerability to disasters—man-made or natural—or simply adding pages to our compliance manual. You do not want to find out during an emergency that your backup systems are not backing you up, or your servers are unable to service your needs.
Thanks for spending time with us. We hope you found it worthwhile.
—Securities Training Corporation