Skip to main content

October 16, 2019

Business Continuity Plans (BCPs)

Regulatory Obligations

FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires firms to create and maintain a written BCP with procedures that are reasonably designed to enable firms to meet their obligations to customers, counterparties and other broker-dealers during an emergency or significant business disruption.10 The rule also requires firms to review and update their BCPs, if necessary, in light of changes to firms’ operations, structure, business or location. Further, although most introducing firms rely, to some extent, on their clearing firms to allow customers to access their accounts and enter transactions, they are responsible for compliance with the BCP rule.

Noteworthy Examination Findings

FINRA found some firms encountering challenges where their BCPs did not reflect certain market conditions, business models or other circumstances.

  • Incomplete Mission-Critical Systems – Some firms’ BCPs did not identify all of their mission-critical systems. Omitted systems included those used for order management for trading desks, or vendor systems that processed and managed financing transactions, such as securities lending and repurchase agreements.
  • Insufficient Capacity – Some larger firms did not have sufficient capacity to handle substantially increased call volumes and online activity during a business disruption, which affected customers’ ability to access their accounts.
  • No Updates for Operational Changes – Some firms did not update their BCPs after significant operational changes, such as outsourcing critical operational functions, relocating data centers or replacing other key systems, including trading desk order management systems or other systems that are critical to firms’ business lines.
  • Outdated Contact Information – Some firms’ BCPs contained outdated emergency contact information and did not identify how customers could access their funds and securities during a business disruption.
  • Local Document Storage – Some firms allowed employees to maintain critical working documents on their computers’ local drives rather than requiring that they be stored on the firms’ network. Firms should review their controls to test whether these files would be secure and readily accessible.
  • No Registered Principal Registrations – Some senior management personnel, who were responsible for performing the annual BCP review, did not maintain the required registered principal registration.11

Effective Practices

Firms implement a number of effective practices to fulfill their obligations under the rule, especially those relating to testing of their BCP plans.

  • Engaging in Annual Testing – Firms tested their BCPs as part of their annual review to confirm that the BCP was updated, and to evaluate its effectiveness, especially with respect to the functioning of mission-critical systems and processes, availability of key personnel and access to physical contingency site location(s). As part of these tests, some firms assessed their remote access capabilities to such systems, as well as evaluated and documented their ability to failover from one server to another. Firms also included key vendors in their BCP tests and documented results from those tests.
  • Incorporating Test Results into Firm Training – Firms found these tests can be a valuable tool, not only to identify weaknesses in their BCPs, but also to train staff on how to implement the program, should that become necessary.

Additional Resources

10 Pursuant to Regulatory Notice 19-06 (FINRA Requests Comment on the Effectiveness and Efficiency of Its Rule on Business Continuity Plans and Emergency Contact Information), FINRA is conducting a retrospective review of Rule 4370. This section is intended to provide firms with findings solely relating to compliance with existing Rule 4370 and does not address the outcome of that review or any potential revisions to the rule.

11 See FINRA Rule 4370(d).