Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief
Due to the recent outbreak of coronavirus disease (COVID-19), FINRA reminds member firms to consider pandemic-related business continuity planning, including whether their business continuity plans (BCPs) are sufficiently flexible to address a wide range of possible effects in the event of a pandemic in the United States. Each member firm is also encouraged to review its BCP to consider pandemic preparedness and to review its emergency contacts to ensure that FINRA has a reliable means of contacting the firm. This Notice also provides pandemic-related guidance and regulatory relief to member firms from some requirements. As coronavirus-related risks decrease, member firms should expect to return to meeting any regulatory obligations for which relief has been provided.
Questions regarding this Notice should be directed to:
- Bill Wollman, Executive Vice President, Head of Office of Financial and Operational Risk Policy, at (646) 315-8496;
- Jeanette Wingler, Associate General Counsel, Office of General Counsel, at (202) 728-8013; or
- the FINRA Call Center at (301) 590-6500.
Background and Discussion
Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires a member firm to create, maintain, review at least annually and update upon any material change, a BCP identifying procedures relating to an emergency or significant business disruption. BCPs should be reasonably designed to enable a member firm to meet its existing obligations to customers and address existing relationships with other broker-dealers and counterparties. Each member firm needs to conduct its own risk analysis to determine where critical impact points and exposures exist within the firm and with its counterparties and suppliers.
Each member firm has flexibility to tailor its BCP to the size and needs of its business, provided that the BCP addresses the enumerated minimum elements set forth in Rule 4370 to the extent applicable and necessary to the firm’s business.1 Provided the enumerated minimum elements are met, FINRA recognizes that the scope and complexity of BCPs are likely to vary based on member firm size and business model.2
Rule 4370 also requires each firm to provide (and promptly update upon any material change) to FINRA via electronic process or other means as FINRA may specify, prescribed emergency contact information, including the designation of two emergency contact persons, both of whom must be associated persons. Member firms may register and update their emergency contact persons through the FINRA Contact System (FCS). Visit FINRA’s FCS webpage to access the system.
This requirement is intended to ensure that FINRA has a reliable means of contacting each member firm in the event of an emergency. One contact must be a member of senior management and a registered principal of the member firm and the second contact, if not a registered principal, must be a member of senior management who has knowledge of the firm’s business operations. For a firm that has only one associated person (e.g., a sole proprietorship without any other associated persons), the second emergency contact person may be an individual, either registered with another firm or nonregistered, who has knowledge of the member firm’s business operations, such as the firm’s attorney, accountant or clearing firm contact.
Member Firms are Encouraged to Review their BCPs to Consider Pandemic Preparedness
A pandemic occurs when there is a widespread disease outbreak. While a pandemic may vary in severity and duration, it may present significant financial or operational risks for a member firm for its duration and beyond. A member firm may conduct its own analysis to determine whether a pandemic or any other event constitutes an emergency or significant business disruption for the firm and, thereby, causes the firm to activate its BCP.
Member firms are encouraged to review their BCPs to consider pandemic preparedness, including whether the BCPs are sufficiently flexible to address a wide range of possible effects in the event of a pandemic in the United States. These effects may include staff absenteeism, use of remote offices or telework arrangements, travel or transportation limitations and technology interruptions or slowdowns.
Member firms are encouraged to contact their assigned FINRA Risk Monitoring Analyst to discuss the activation and implementation of their BCPs, as well as to discuss any issues they may be facing, including the disruption of business operations, and whether disruptions are solved or ongoing.
FINRA previously provided guidance on pandemic preparedness in Regulatory Notice 09-59.3 FINRA has had discussions with member firms regarding the present challenges related to COVID-19. Recognizing that health and safety is of paramount importance and that updated guidance and relief may be appropriate given the potential effects of coronavirus in the United States, updated pandemic-related guidance and regulatory relief to member firms from some requirements is below. This Notice does not create new rules or obligations on member firms, nor does the regulatory relief provided extend beyond the identified FINRA rules and requirements. Depending on the nature and impact of the COVID-19 outbreak, FINRA may provide additional, specific regulatory relief and guidance.
As coronavirus-related risks decrease, member firms should expect to return to meeting any regulatory obligations for which relief has been provided. When appropriate, FINRA will publish a Regulatory Notice announcing a termination date for the regulatory relief that will provide member firms with time to make necessary operational adjustments.
Remote Offices or Telework Arrangements
In an effort to mitigate the impacts of a pandemic, a member firm may consider employing methods such as social distancing, travel restrictions, revised sick leave policies, special pandemic leave time, or specialized seating plans for densely populated floors or buildings.4 These methods may also involve remote offices or telework arrangements (e.g., working from home or a backup or recovery location) for a broad range of employees.
FINRA understands that the use of remote offices or telework arrangements during a pandemic may necessitate a member firm to implement other ways to supervise its associated persons who change their work locations or arrangements for the duration of the pandemic. In such cases, FINRA would expect a member firm to establish and maintain a supervisory system that is reasonably designed to supervise the activities of each associated person while working from an alternative or remote location during the pandemic. With respect to oversight obligations, a member firm’s scheduled on-site inspections of branch offices may need to be temporarily postponed during the pandemic, with FINRA understanding that the ability to complete this annual regulatory obligation in 2020 may need to be re-evaluated depending on the duration and severity of the pandemic.
In addition, a member firm may find it helpful to test broad use of remote offices or telework arrangements by associated persons prior to activating its BCP, including regarding the ability to connect to critical firm systems, the adequacy of remote connectivity via residential internet access networks and any potential need to secure premium or dedicated service for connectivity.
Member firms should consider the increased risk of cyber events (e.g., systems being compromised through phishing attacks) as part of pandemic-related preparedness. The risk of cyber events may be increased due to use of remote offices or telework arrangements, heightened anxiety among associated persons and confusion about the virus. While member firms are understandably focused on business resiliency and health and safety of individuals, it is important that member firms remain vigilant in their surveillance against cyber threats and take steps to reduce the risk of cyber events. These steps may include: (1) ensuring that virtual private networks (VPN) and other remote access systems are properly patched with available security updates; (2) checking that system entitlements are current; (3) employing the use of multi-factor authentication for associated persons who access systems remotely; and (4) reminding associated persons of cyber risks through education and other exercises that promote heightened vigilance.
Form U4/Form BR
FINRA is temporarily suspending the requirement to maintain updated Form U4 information regarding office of employment address for registered persons who temporarily relocate due to COVID-19. In addition, member firms are not required to submit branch office applications on Form BR for any newly opened temporary office locations or space-sharing arrangements established as a result of recent events.
Emergency Office Relocations
If a member firm relocates personnel to a temporary location that is not currently registered as a branch office or identified as a regular non-branch location, the firm should use its best efforts to provide written notification to its FINRA Risk Monitoring Analyst as soon as possible after establishing a new temporary office or space-sharing arrangement, to include at a minimum the office address, the names of each member firm involved, the names of registered personnel, a contact telephone number and, if possible, the expected duration. The notification should also indicate whether the member firm’s personnel will be sharing space with another entity, and if so, the type of business in which it is engaged (e.g., an affiliated investment adviser or an organization in the securities business). FINRA reminds member firms that while a pandemic may create exigent circumstances that result in emergency relocations, firms should take into account the risks associated with sharing office space with another entity (e.g., customer privacy, information security or recordkeeping considerations) and take steps to mitigate the risks during the emergency relocation.
In addition, in instances where a non-branch location or branch office has been relocated, or customer calls are being rerouted to another office, member firms must exercise diligence in validating the identity of the customer (e.g., when accepting orders and request for disbursement of funds) as well as provide heightened supervision of the affected customer accounts.
Communicating With Customers
FINRA understands that member firms may experience significantly increased customer call volumes or online account usage during a pandemic (e.g., due to significant market movements), which may cause temporary operational challenges. Member firms are encouraged to review their BCPs regarding communicating with customers and ensuring customer access to funds and securities during a significant business disruption.
If registered representatives are unavailable to service their customers, member firms are encouraged to promptly place a notice on their websites indicating to affected customers who they may contact concerning the execution of trades, their accounts, and access to funds or securities. Supervisory control policies and procedures should be considered that will mitigate risks that may arise due to the reduced ability to communicate with customers, inability to rely on mail or other disruption to the existing controls over communications with customers.
Communicating With FINRA
As discussed above, member firms are required to provide FINRA with emergency contact information pursuant to Rule 4370. Member firms are encouraged to review their emergency contacts to ensure that FINRA has a reliable means of contacting each member.
If a member firm or another person is unable to contact FINRA through its usual contact due to a pandemic or other significant business disruption, please call FINRA’s Call Center at (301) 590-6500. This number will be rerouted in the event of a business disruption at FINRA's primary call center, so that the member firm or associated person will be able to reach an operator or receive recorded instructions.
Regulatory Filings and Responses to FINRA Inquiries, Matters and Investigations
In the event of a pandemic, member firms may have difficulty making timely regulatory filings (e.g., FOCUS filings, Form Custody filings and supplemental FOCUS information pursuant to FINRA Rule 4524 (Supplemental FOCUS Information)) and responding to regulatory inquiries or investigations. Member firms that require extra time to respond to open inquiries, investigations or upcoming filings should contact their Risk Monitoring Analysts or the relevant FINRA department to seek extensions.5 FINRA may waive any late fees incurred by a member firm based on the member firm’s particular circumstance. In addition, if any data communications are disrupted, member firms should retain the relevant data until it can be transmitted to FINRA.
In considering regulatory filing requirements, member firms are reminded of the requirements in Rule 15c3-3 under the Securities Exchange Act of 1934 (Exchange Act) regarding reserve formula computations and required deposits that are intended to protect customer funds and securities.6
Qualification Examinations and Regulatory Element Continuing Education
Any affected person who has a qualifications examination or continuing education window that is due to expire is encouraged to contact FINRA regarding an extension. Please contact FINRA’s Call Center at (301) 590-6500 with any questions or if you require additional information.
Military Personnel and National Guard
The declaration of an emergency in a specified area due to COVID-19 may result in some persons volunteering or being called into active military duty. FINRA Rule 1210 (Registration Requirements) provides specific relief to persons registered with FINRA who volunteer or are called into active military duty.7 For information on providing the required notification to FINRA, visit FINRA’s Active Military Leave Guidance webpage.
- Rule 4370(c) requires that each BCP, must at a minimum, address: (1) data back-up and recovery (hard copy and electronic); (2) all mission critical systems; (3) financial and operational assessments; (4) alternate communications between customers and the member; (5) alternate communications between the member and its employees; (6) alternate physical location of employees; (7) critical business constituent, bank, and counter-party impact; (8) regulatory reporting; (9) communications with regulators; and (10) how the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
- FINRA has provided a Small Firm Business Continuity Plan Template as an optional tool to aid small firms.
- See also FAQs 16 and 18 in the FINRA Business Continuity Planning FAQs.
- Additional information from the Centers for Disease Controls (CDC) on strategies for businesses and employers to plan for and respond to COVID-19 is available on the CDC’s website.
- For information on requesting extensions of the requirement to file an Annual Audited Report no later than 60 calendar days after the date of a member firm's fiscal year end, visit FINRA’s Annual Audit Extension of Time Request Policy webpage.
- Exchange Act Rule 15c3-3(e)(3) requires a broker-dealer to prepare the reserve formula computations, necessary to determine the amount required to be deposited as specified in Rule 15c3-3(e)(1), to be made weekly, as of the close of the last business day of the week, and the deposit so computed to be made no later than one hour after the opening of banking business on the second following business day.
- Under Supplementary Material .10 to Rule 1210, these persons would be placed in a specially designated “inactive” status once FINRA is notified of their military call-up, but would remain registered for FINRA purposes.