FINRA Requests Comment on the Effectiveness and Efficiency of Its Rule on Business Continuity Plans and Emergency Contact Information
FINRA is conducting a retrospective review of Rule 4370 (Business Continuity Plans and Emergency Contact Information), FINRA's emergency preparedness rule, to assess its effectiveness and efficiency. This Notice outlines the general retrospective rule review process and seeks responses to several questions related to firms' experiences with this specific rule.
Questions regarding this Notice should be directed to:
FINRA encourages all interested parties to comment. Comments must be received by April 26, 2019.
Comments must be submitted through one of the following methods:
Jennifer Piorko Mitchell
Office of the Corporate Secretary
1735 K Street, NW
Washington, DC 20006-1506
To help FINRA process comments more efficiently, persons should use only one method to comment.
Important Notes: All comments received in response to this Notice will be made available to the public on the FINRA website. In general, FINRA will post comments as they are received.1
Background & Discussion
FINRA believes that it is appropriate, after a reasonable period of time, to look back at its significant rulemaking to determine whether a FINRA rule or rule set2 is meeting its intended investor-protection objectives by reasonably efficient means. FINRA further believes that a retrospective review should include a review not only of the substance and application of a rule or rule set, but also FINRA's processes to administer the rules. FINRA conducts retrospective rule reviews on an ongoing basis to ensure that its rules remain relevant and appropriately designed to achieve their objectives, particularly in light of environmental, industry and market changes.
In conducting the review of Rule 4370, FINRA staff will follow a similar process to previous retrospective rule reviews. In general, the review process consists of an assessment and action phase. During the assessment phase, FINRA will evaluate the efficacy and efficiency of the rule or rule set as currently implemented, including FINRA's internal administrative processes. FINRA will seek input from affected parties and experts, including its advisory committees, subject-matter experts inside and outside of the organization, and other stakeholders, including industry members, investors, interested groups and the public. FINRA staff will assess issues including the existence of duplicative, inconsistent or ineffective regulatory obligations; whether market or other conditions have changed to suggest there are ways to improve the efficiency or effectiveness of a regulatory obligation without loss of investor protections; and potential gaps in the regulatory framework.
Upon completion of this assessment, FINRA staff will consider appropriate next steps, which may include some or all of the following: modifications to the rule, updated or additional guidance, administrative changes or technology improvements, or additional research or information gathering.
The action phase will then follow. To the extent action involves modification of rules, FINRA will separately engage in its usual rulemaking process to propose amendments to the rules based on the findings. This process will include input from FINRA's advisory committees and an opportunity for comment on specific proposed revisions in a Regulatory Notice or rule filing with the SEC, or both.
Request for Comment
Rule 4370 is the successor rule to NASD Rules 3510 (Business Continuity Plans) and 3520 (Emergency Contact Information).3 After the events of September 11, 2001, FINRA closely studied the securities markets and industry's recovery capability to assess whether any regulatory action would be needed to assure swift recovery in the event of any future significant business disruptions. As a result of that study, FINRA (then NASD) adopted in 2004 NASD Rules 3510 and 3520 to help ensure that member firms would be able to continue their business operations in the event of such disruptions. In 2009, FINRA adopted those rules, without substantive change, as Rule 4370 in the consolidated FINRA rulebook.4
Rule 4370 requires a member firm to create, maintain, annually review and update upon any material change a written business continuity plan identifying procedures relating to an emergency or significant business disruption. While each member firm needs to conduct its own risk analysis to determine where critical impact points and exposures exist within the firm and with its counterparties and suppliers, significant business disruptions for purposes of business continuity planning may include, among other things, natural disasters, pandemics, terrorist attacks and cyber events.5 In addition, member firms that heavily leverage technology for their business systems and infrastructure may have an increased risk of significant business disruptions associated with cyber events and technology-related disruptions.
Each member firm has flexibility to tailor the business continuity plan to the size and needs of its business, provided that the plan addresses the enumerated minimum elements to the extent applicable and necessary to the firm. The rule also requires each member firm to disclose (at a minimum, in writing at account opening, by posting on its website, and by mailing upon request) to its customers how the business continuity plan addresses the possibility of a future significant business disruption and how the member firm plans to respond to events of varying scope.
In addition, Rule 4370 requires each member firm to provide (and promptly update upon any material change) to FINRA prescribed emergency contact information for the member firm. This requirement is intended to ensure that FINRA has a reliable means of contacting each member firm in the event of an emergency. The rule requires the member firm to designate two associated persons as emergency contact persons, at least one of whom is a member of senior management and a registered principal of that firm. If a member firm designates a second emergency contact person who is not a registered principal, the rule requires the person to be a member of senior management who has knowledge of the member firm's business. For a member firm with only one associated person (e.g., a sole proprietorship), the second emergency contact person may be an individual, either registered with another firm or nonregistered, who has knowledge of the member firm's business operations, such as the firm's attorney, accountant or clearing firm contact.
FINRA seeks answers to the following questions with respect to these rules:
In addition to comments responsive to these questions, FINRA invites comment on any other aspects of the rule that commenters wish to address. FINRA further requests any data or evidence in support of comments. While the purpose of this Notice is to obtain input as to whether or not the current rule is effective and efficient, FINRA also welcomes specific suggestions as to how the rule should be changed. As discussed above, FINRA will separately consider during the action phase specific changes to the rules.
1. Persons submitting comments are cautioned that FINRA does not redact or edit personal identifying information, such as names or email addresses, from comment submissions. Persons should submit only information that they wish to make publicly available. See Notice to Members 03-73 (November 2003) (Online Availability of Comments) for more information.
2. A rule set is a group of rules identified by FINRA staff to contain a similar subject, characteristics or objectives.
3.See Exchange Act Release No. 49537 (Apr. 7, 2004), 69 Fed. Reg. 19586 (Apr. 13, 2004) (SEC Notice of Order Approving File No. SR-NASD-2002-108). See also Notice to Members 04-37 (May 2004).
4.See Exchange Act Release No. 60534 (Aug. 19, 2009), 74 FR 44410 (Aug. 28, 2009) (Order Granting Accelerated Approval of Proposed Rule Change, as Modified by Amendment No. 1; File No. SR-FINRA-2009-036) (approving the adoption, without material change, of NASD Rule 3510 (Business Continuity Plans) and NASD Rule 3520 (Emergency Contact Information) as FINRA Rule 4370). See also Regulatory Notice 09-60 (Oct. 2009).
5.See, e.g., Regulatory Notice 09-59 (Oct. 2009) and FINRA's Small Firm Business Continuity Plan Template [http://www.finra.org/industry/small-firm-business-continuity-plan-template]. See also FINRA's Business Continuity Planning FAQ 16 [http://www.finra.org/industry/faq-business-continuity-planning-faq].