(a) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member's existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to FINRA staff.
(b) Each member must update its plan in the event of any material change to the member's operations, structure, business or location. Each member must also conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location.
(c) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must at a minimum, address:
(1) Data back-up and recovery (hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between customers and the member;
(5) Alternate communications between the member and its employees;
(6) Alternate physical location of employees;
(7) Critical business constituent, bank, and counter-party impact;
(8) Regulatory reporting;
(9) Communications with regulators; and
(10) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
Each member must address the above-listed categories to the extent applicable and necessary. If any of the above-listed categories is not applicable, the member's business continuity plan need not address the category. The member's business continuity plan, however, must document the rationale for not including such category in its plan. If a member relies on another entity for any one of the above-listed categories or any mission critical system, the member's business continuity plan must address this relationship.
(d) Members must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review. The member of senior management must also be a registered principal.
(e) Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member's Web site (if the member maintains a Web site), and mailed to customers upon request.
(f)(1) Each member shall report to FINRA, via such electronic or other means as FINRA may specify, prescribed emergency contact information for the member. The emergency contact information for the member includes designation of two associated persons as emergency contact persons. At least one emergency contact person shall be a member of senior management and a registered principal of the member. If a member designates a second emergency contact person who is not a registered principal, such person shall be a member of senior management who has knowledge of the member's business operations. A member with only one associated person shall designate as a second emergency contact person an individual, either registered with another firm or nonregistered, who has knowledge of the member's business operations (e.g., the member's attorney, accountant, or clearing firm contact).
(2) Each member must promptly update its emergency contact information, via such electronic or other means as FINRA may specify, in the event of any material change. With respect to the designated emergency contact persons, each member must identify, review, and, if necessary, update such designations in the manner prescribed by [Rule 4517].
(g) For purposes of this Rule, the following terms shall have the meanings specified below:
(1) "Mission critical system" means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
(2) "Financial and operational assessment" means a set of written procedures that allow a member to identify changes in its operational, financial, and credit risk exposures.