Based upon the wide spread devastation caused by Hurricane Sandy, and the numerous other natural disasters such as tornadoes, flooding and wildfires that have occurred in the last few years, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“SEC”), the Financial Industry Regulatory Authority (“FINRA”), and the Commodity Futures Trading Commission’s Division of Swap Dealers and Intermediary Oversight (“CFTC”) jointly reviewed the business continuity and disaster recovery plans (“BCPs”) of firms with a significant market presence. As a result of that joint review, FINRA, the SEC and CFTC issued a Business Continuity Planning Advisory (FINRA Notice to Members 13-25).
The advisory represents the first major guidance issued by FINRA, the SEC and or the CFTC since BCPs were mandated by the SEC for investment advisers and broker-dealers (FINRA Rule 4370, formerly NASD Rule 3500 series for broker-dealers). It is anticipated that the guidance will have a significant impact on the BCPs for broker-dealers and financial advisers as the compliance bar gets raised. The advisory compiles a summary of what the regulators learned in thier BCP review and encourages firms to review their BCPs to implement best practices to improve response times to, and recovery time after significant large-scale events.
While it was noted that the impact of a business disruption is going to be based upon the severity of the disruption, it also noted that BCPs need to take into account the firm’s location, size, type of business and need for contact with customers and regulators. Best practice considerations include the following: (i) the lack of communication, transportation, office space and services, fuel and water; (ii) the possible need to use an alternative location in a separate geographic region; (iii) critical vendor relationships and the vendor’s ability to perform crucial services in light of the disruption; (iv) the use of multiple communications vendors; (v) the communication plans with customers, clearing firms, regulators and other critical third parties; (vi) regulatory and compliance reporting; and (vii) the annual review and testing of the BCPs.
In preparation of a significant business disruption, both broker-dealers and investment advisers should consider reviewing their current BCPs, as applicable, to determine if they are compliant with the best practices set forth in the advisory. Click for the “2013 Business Continuity Plan Update Worksheet”, which was prepared to assist financial firms in making an assessment as to whether their BCP may need to be modified to address the best practices noted in the advisory. In addition, a number of best practices that should be addressed in the BCPs include the following items:
- To the extent that a firm is located in an area where widespread disruptions frequently, or are likely, to occur, the BCPs should address lack of communications, transportation and electricity.
- Whether employees will be able to travel to the office, or an alternate work location or if they will have the ability to work from home.
- The utilization of alternate locations that are geographically separated from the primary office, and what key personnel will be relocated to the site. Consideration should be given to housing and transportation for personnel and the amount of space needed, computers, additional phone lines, generators and internet.
- Categorize vendors and third party service providers (low-risk, high-risk, etc.) and evaluate the risk in BCP plans.
- Address whether a firm’s critical vendors have business continuity plans to ascertain that the vendor utilizes alternate locations, back-up systems (and the capacity of the back-up system), the amount of time the vendor expects to be out of service during a significant business disruption and the amount of time it will take them to commence service.
- Redundant services for telephone and internet, and if staff members are permitted to work remotely, the availability of telephone and internet services for those locations.
- Have BCPs being made available to customers, employees as well as counterparties and third party vendors, including up to date information on the web site.
- Contact information for the various regulatory authorities as well as for the designated principal to contact the appropriate regulators if the firm has to implement its BCP.
- Annual testing of BCPs to ensure that the plan is practical, it actually functions as designed and is in compliance with regulatory requirements, communication changes, vendor changes and personnel changes.
We hope that this information has been helpful to you. Should you have any additional questions or concerns, please feel free to contact Daniel E. LeGaye or Michael Schaps by e-mail or phone, at 281-367-2454, or consult with your legal counsel or compliance consultant. This legal update has been provided to you courtesy of The LeGaye Law Firm, P.C., 2002 Timberloch Drive, Suite 200, The Woodlands, Texas 77380. Visit our web site at www.legayelaw.com.
The information contained herein is not, nor is it intended to be legal advice or establish or further an attorney-client relationship. All facts and matters reflected in this information should be independently verified and should not be taken as a substitute for individualized legal advice. You should consult an attorney for individual advice regarding your own situation. Not Board Certified by Texas Board of Legal Specialization. Michael Schaps is not an attorney.