Subsequent to the events of 9/11, NASD developed the Rule 3500 series which was approved by the SEC on April 7, 2004. This series of rules was developed to require NASD members to develop and maintain emergency preparedness plans and procedures. Also, subsequent to hurricanes Katrina, Rita and Wilma which struck the mainland U.S. in 2005, NASD implemented requirements related to emergency contact information that must be maintained with FINRA through Rule 1160 and the FINRA Contact System.
Today, FINRA’s Rule 4370 covers Business Continuity Plans and Emergency Contact Information. FINRA requires each of its members to have procedures in place that are designed to ensure that the member is able to meet its obligations to customers, including other broker-dealers and counterparties. This plan must be maintained on a current basis, and should be updated whenever the broker-dealers operations change materially, but not less than annually. Many broker-dealers handle this as part of their annual review of supervisory controls.
FINRA allows members flexibility when it comes to designing their business continuity plans. However, Rule 4370 specifies certain minimum requirements including: data back-up and recovery, mission critical systems, financial and operational assessments, alternative methods of communicating with customers and employees, critical business constituent, bank and counter-party impact, regulatory reporting, communications with regulators, and how the broker-dealer will ensure that customers have prompt access to their funds and securities.
As with most requirements of this type, a member must have a written plan and it must be approved in writing by a member of senior management who is also a registered principal of the firm. Certain elements of the plan must be disclosed to customers at the time the account is opened and on any website maintained by the firm. FINRA requires that its members designate an emergency contact and that they maintain the currency of this contact information.
When an actual emergency happens, experience has shown that broker-dealers who have robust business continuity plans that are tested regularly will experience much less disruption than those who do not take this requirement seriously. A canned BCP that is not tailored to the firm’s operations will at best cause confusion during a real emergency, and at worst result in serious disruption, possible reputational damage and regulatory disciplinary action.
If you have questions about how a BCP may be best designed for your firm, Mitch Atkins, FINRA’s former South Region Director is now Principal at FirstMark Regulatory Solutions and can be reached by calling 561-948-6511.