Business Continuity Planning FAQ
1. What is the purpose of the disclosure requirement in FINRA Rule 4370(e)?
The purpose of the disclosure requirement in FINRA Rule 4370(e) is to assist customers in making educated decisions about whether to place their funds and securities at a specific firm. The disclosure may state that the firm's BCP is subject to modification. Each firm is required to disclose to its customers how its BCP addresses the possibility of a future significant business disruption and how the firm plans to respond to events of varying scope. However, firms are not required to disclose their actual BCP, including any proprietary information, but rather can provide appropriate levels of summary information.
2. Our firm's business consists primarily of selling variable insurance products. Although we sell the product, the customer needs to deal with the insurance company in question if there is a problem. How do we treat this situation in our BCP under FINRA Rule 4370?
A firm that sells variable insurance products cannot defer its regulatory and customer protection responsibilities to a third party. A firm may, however, tailor its BCP to the needs and business of the firm. In tailoring the plan, the firm must consider its customers' needs in the event of a significant business disruption, and plan accordingly. In the situation presented, the plan should, for instance, consider what the firm's primary responsibilities are, but also include information on the entities that customers would need to contact to access their assets and funds. The firm should also provide customers with any needed information regarding assets held away from the firm.
3. Our firm is a market maker that deals solely with other firms, so we have no retail "customers." To whom, if anyone, should we disclose how our BCP addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?
As we have stated, each firm's BCP must be tailored to meet its specific needs. This underlying principle also applies to disclosure of how a firm plans to address a significant business disruption. Therefore, although there is no obligation to disclose how your BCP addresses the possibility of a future significant business disruption to non-customers, a copy of the disclosure should be made available to any non-customer with which you do business so that these individuals and firms can determine for themselves the efficacy of the firm's BCP.
4. In what manner should our firm disclose to our customers a summary of how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond under FINRA Rule 4370?
At a minimum, this disclosure must be made in writing to customers at account opening, posted on your website (if you have one), and mailed to customers upon request.
5. How often should our firm review its Business Continuity Plan (BCP) under FINRA Rule 4370?
FINRA Rule 4370 requires each firm to conduct an annual review of its BCP. In addition to an annual review, your firm must update its BCP in the event of any material change to your firm's operations, structure, business, or location.
6. What does FINRA Rule 4370(e) require?
FINRA Rule 4370(e) states:
Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member's Internet Web site (if the member maintains a Web site), and mailed to customers upon request.
The intent behind this part of the rule is to provide customers and counterparts with appropriate levels of information so that they may make an informed decision about doing business with your firm.
7. Our firm's business is done solely on an RVP/DVP basis. To whom should we disclose how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?
BCPs should be reasonably designed to enable a firm to meet its existing obligations to customers and address existing relationships with other broker/dealers and counterparties. To the extent a firm does not have any customers, it should disclose this information to the business constituents or other non-customers that rely on the firm as part of the overall transaction process.
8. My firm is a sole proprietorship. I am the sole registered principal, but I employ two registered representatives. I will register myself as the first emergency contact person, but who should be the second emergency contact person under FINRA Rule 4370?
The second emergency contact person should be one of the registered representatives at your firm who is a member of senior management and has knowledge of your firm's business operations.
9. Under FINRA Rule 4370, how do I register the names of my firm's two emergency contact persons?
This is done electronically through the FINRA Contact System (FCS).
10. What kind of information should be disclosed to customers, as required by Rule 4370?
FINRA Rule 4370(e) does not require firms to disclose their entire BCPs to their customers. Under this rule, members are required only to summarize the manner in which their BCPs address the possibility of significant business disruptions. Firms are not required to disclose the specific location of any back-up facilities, any proprietary information contained in the BCP, or the parties with whom the firm has back-up arrangements. Instead, the disclosure should address how the firm would react to events of varying scope. For example, the disclosure should provide:
11. Our firm is a member of the Securities Investor Protection Corporation (SIPC). Won't SIPC take care of my customers, with respect to access to their funds and securities, in the event of a significant business disruption?
FINRA's BCP requirements do not conflict with SIPC rules or with a firm's obligation under such rules. FINRA Rule 4370(c)(10) requires firms' BCPs to state how the firm will assure customers prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business. If you believe that SIPC rules might affect your response to this requirement, you should address it in your BCP. You cannot, however, rely on SIPC membership, by itself, to satisfy your obligations under FINRA Rule 4370(c)(10).
12. Should disclosure statements be updated? If so, should updated disclosure statements be communicated to the firm's customers?
NASD Notice to Members 04-37 states in the Disclosure Requirements section that "Members may use cautionary language in their business continuity plans indicating that such plans are subject to modification, that updated plans will be promptly posted on the member's Web site, and that customers may alternatively obtain updated plans by requesting a written copy of the plan by mail." This section is referring to disclosure statements, not BCPs. Disclosure statements should only be updated and communicated to customers when changes to a firm's BCP materially change the firm's response to a significant business disruption.
13. How often should our firm update our emergency contact information under FINRA Rule 4370?
FINRA Rule 4370(f) requires each firm to promptly update its emergency contact information in the event of a material change. In addition firms must review and, if necessary, update its emergency contact information. This update must include any change to the designation of the two emergency contact persons.
Each firm must review and, if necessary, update its emergency contact information in the manner prescribed by NASD Rule 1160. NASD Rule 1160 requires firms, via the FINRA Contact System (FCS), to update designated contact information promptly upon any material change (but no later than 30 days following the change) and verify such information within 17 business days after the end of each calendar year.
14. FINRA Rule 4370 require firms to disclose their BCPs to their customers?
No. Disclosure statements and BCPs are separate documents. Firms are required to prepare and give their customers a disclosure statement that describes how the firm intends to respond to a significant business disruption, but firms are not required to disclose their BCPs to their customers.
15. Would my firm be required to stay in business in the event of a significant business disruption?
No. However, under FINRA Rule 4370(c)(10), your BCP must address how you will assure customers' prompt access to their funds and securities in the event that you determine that your firm is unable to continue its business.
16. Where can I find information about the Small Firm Emergency Partner Program?
FINRA, in consultation with NASAA and an industry working group, developed the Small Firm Emergency Partner Program (SFEPP), a voluntary initiative that helps firms partner with each other in preparation for a potential business disruption. Should one occur, the affected firm can rely on its partner—a similar but distant firm—to temporarily service the affected firm's customers while it recovers. Once the affected firm has fully recovered, the support firm's access to the affected firm's customers will discontinue. For more information, please visit our SFEPP Web page.
17. My business is not located in an earthquake or hurricane zone. I do not believe we are at risk for a flood. What other types of disruptions should we consider for our BCP?
As the question notes, firms have varying and often unique types and levels of exposure to potential business disruptions. Some potential disruptions, like hurricanes, only occur in certain geographic areas while others, like a pandemic, could impact all firms. Each firm needs to conduct their own risk analysis to determine where critical impact points and exposures exist within the firm and with its counterparties and suppliers. The extent to which any member needs to prepare for various types of disruptions depends on, among other things, the size of the firm, its office locations, its counterparty and service provider relationships, and the nature of its business. Firms should also look beyond potential disruptions relating only to meteorological or geological events. Firms should consider their susceptibility to evolving risks and disruptions. Such potential disruptions may result from an infectious pandemic, as noted above, or from a technology-related disruption such as technology viruses, large-scale or targeted brokerage account intrusions, denial of service attacks, or other cyber attacks.
18. My firm is a sole proprietorship with no other personnel. I will register myself as the first emergency contact person, but who should be the second emergency contact person under FINRA Rule 4370?
The second emergency contact person should be an individual, either registered with another firm or nonregistered, who has knowledge of the member's business operations (e.g., the member's attorney, accountant, or clearing firm contact).
19. Is my firm required to test its BCP?
The required annual review may include testing of specific functions or functionality. For example, a firm may test the functionality of back-up technology or of a designated "emergency personnel team" in a simulated business disruption. Testing in such a manner would help a firm better determine whether it has met the "reasonably designed" threshold of FINRA Rule 4370(a). See Notice to Members 06-74 regarding the importance of effective and appropriate BCP testing as it related to Hurricanes Katrina and Rita in 2005. Additionally, the importance of testing was also highlighted in Regulatory Notice 09-59 which addresses pandemic preparedness. Assuming no changes in operations, structure, business or location, a firm may decide to rely on initial or prior due diligence work or testing performed by internal personnel or a vendor when conducting its annual BCP review. For example, one year a firm tests a back-up server that is part of its BCP. The following year during the firm's annual BCP review, the firm may determine not to conduct a new server test but rather to rely on the previous year's test, since there were no material changes in conditions.
If a firm relies on initial or prior due diligence or testing for its annual BCP review, it should consider whether changes in the firm's operations, structure, business or location make such information out-dated or unreliable.