3510. Business Continuity Plans
This rule is no longer applicable. NASD Rule 3510 has been superseded by FINRA Rule 4370. Please consult the appropriate FINRA Rule.
(a) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member's existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to NASD staff.
(b) Each member must update its plan in the event of any material change to the member's operations, structure, business or location. Each member must also conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location.
(c) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must at a minimum, address:
(1) Data back-up and recovery (hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between customers and the member;
(5) Alternate communications between the member and its employees;
(6) Alternate physical location of employees;
(7) Critical business constituent, bank, and counter-party impact;
(8) Regulatory reporting;
(9) Communications with regulators; and
(10) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
Each member must address the above-listed categories to the extent applicable and necessary. If any of the above-listed categories is not applicable, the member's business continuity plan need not address the category. The member's business continuity plan, however, must document the rationale for not including such category in its plan. If a member relies on another entity for any one of the above-listed categories or any mission critical system, the member's business continuity plan must address this relationship.
(d) Members must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review. The member of senior management must also be a registered principal.
(e) Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member's Internet Web site (if the member maintains a Web site), and mailed to customers upon request.
(f) For purposes of this rule, the following terms shall have the meanings specified below:
(1) "Mission critical system" means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
(2) "Financial and operational assessment" means a set of written procedures that allow a member to identify changes in its operational, financial, and credit risk exposures.
Adopted by SR-NASD-2002-108 eff. Aug. 11, 2004 (Clearing Firms), Sep. 10, 2004 (Introducing Firms).
Selected Notice: 04-37.