In light of the threats posed by natural disasters, pandemics and civil disorder, among other events, businesses of all types must formulate responses to address significant business disruptions (“SBDs”) and the safety of associated persons. U.S. broker-dealers should review and consider their policies in light of the threats posed by SBDs and must also consider their obligations under FINRA’s Business Continuity Rule. In particular, broker-dealers must be aware of how SBDs may affect mission-critical systems, and must consider how they will continue to operate in the event of a SBD.
Background: FINRA Rule 4370
FINRA Rule 4370 is FINRA’s emergency preparedness and business continuity rule, and requires each FINRA member to create and maintain a written business continuity plan (“BCP”) identifying procedures relating to an emergency or SBD. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member’s existing relationships with other broker-dealers and counter-parties. Broker-dealers with cross-border operations should consider that different responses may be required to address the same SBD across distinct regions.
The elements that comprise a BCP are flexible and may be tailored to the size and needs of a member. Each plan, however, must, at a minimum, address:
- Data backup and recovery (hard copy and electronic);
- All mission-critical systems;
- Financial and operational assessments;
- Alternate communications between customers and the member;
- Alternate communications between the member and its employees;
- Alternate physical location of employees;
- Critical business constituent, bank and counter-party impact;
- Regulatory reporting;
- Communications with regulators; and
- How the member will assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
In addition, members must:
- Designate a registered principal who is a member of senior management to approve the plan and conduct the required annual review;
- Disclose in writing to customers upon account opening, on the member’s website, or in writing upon request, how its BCP addresses the possibility of future SBDs of varying scope;
- Update emergency contact information, via such electronic or other means as FINRA may specify, in the event of any material change in accordance with Rule 4517 (Member Filing and Contact Information Requirements); and
- Report to FINRA prescribed emergency contact information for the member.
Many firms also incorporate important testing, both periodic and episodic, in order to detect and remediate weaknesses and to demonstrate compliance.
Among the considerations that broker-dealers should assess when evaluating their policies are the following:
In the event of a SBD, firms may need to take steps to ensure the physical safety and health of associated persons. For example, many firms today have general prohibitions on associated persons traveling to epidemic-affected countries and/or certain affected areas of countries. Some firms require supervisory approval to travel to non-affected areas of affected countries. These prudential prohibitions are important as the State Department makes recommendations that U.S. citizens do not travel to affected areas, but rarely bans citizens from traveling.
In the case of pandemics, firms also have to grapple with policies for both associated persons who (i) have travelled to affected areas, and who (ii) may have come into contact with others (e.g., roommates) who have travelled to affected areas. Firms should develop and communicate those policies to associated persons, and some firms are utilizing systems to monitor associated persons. Some firms have adopted quarantine policies for associated persons who have travelled to affected areas, prohibiting them from coming to the office and requiring them to self-isolate for 14 days or more.
When SBDs occur, it is common for larger-than-usual numbers of broker-dealer associated persons to work remotely, including from home. Broker-dealer associated persons should be cautioned not to hold any location out as an office of the firm (other than firm-designated non-branch locations, branch offices and OSJs). Further, associated persons who are working remotely should be reminded not to store any firm documents at their personal residences, but rather to scan documents into firm systems. Associated persons working remotely should also be reminded of good document security practices.
When larger than usual numbers of associated persons are working remotely, communication between associated persons and supervisors, as well as communication among supervisors, is critical. Technology has vastly changed broker-dealer remote work in the past few years, with personal video conferencing technologies available on most phones, and well-regarded document sharing systems, screen sharing systems, and virtual private network systems (VPNs) used throughout the industry. Broker-dealer teams that work remotely report that increased use of these technologies and increased frequency of team calls among working units (and among unit supervisors) are best practices.
Other firms, in anticipation of having larger-than-usual numbers of associated persons working remotely, are creating multiple teams that can come into office locations on a rotating or periodic basis as a means of balancing reduced in-office time with maintenance of core systems.
Telecommuting can interrupt normal flows of communication between associated persons, customers, regulators and critical business constituents like banks, clearing houses and counterparties. Many firms use communication technologies effectively to minimize communications disruptions. To ensure that communications are not disrupted while associated persons are working from outside of the office, firms may wish to review their policies and BCPs to determine if any further detail is required.
Firms should also consider creating a centralized process for simultaneously contacting all associated persons that are working outside of the central office rather than depending on each unit to contact staff individually. It is also a best practice to frequently update emergency contact lists.
Outsourced Functions and Vendor Management
Member firms’ increased use of outside entities to perform functions related to their business operations can create compliance risks during SBDs. Regulators have stated that a member firm’s use of a third-party service provider does not relieve the firm of its ultimate responsibility to achieve compliance with all applicable securities laws and regulations and FINRA and MSRB rules. As such, firms should take reasonable steps to ensure that all of its current or prospective third-party service providers, especially those relating to core services such as clearing brokers, are capable of performing any required outsourced activities in the case of a SBD.
One best practice is for firms to create a list of their vendors, assess the susceptibility of each vendor to SBDs, categorize vendor relationships in terms of that risk and then incorporate that assessment into the firm’s own BCP. It is also a best practice to maintain contact information for key relationship contacts at essential high-risk vendors, especially e-mail addresses and mobile phone numbers.
Critical Broker-Dealer Functions
In the broker-dealer context, certain activities require special consideration when responding to SBDs. Firms should consider examining their policies and procedures to ensure that SBDs will not prevent them from:
- Communicating with customers (firms should promptly place a notice on their website indicating alternative communication methods if normal customer communication is interrupted;)[4)
- Providing customer access to funds and securities;
- Order taking;
- Order entry;
- Order execution;
- Communicating effectively with markets, exchanges, venues and regulators;
- Transferring securities to and from clearing agencies;
- Custody of securities; or
- Creating and retaining books and records in compliance with SEC and FINRA regulations (including that electronic records must be kept in WORM format.)
Recent events have challenged firms across the globe, and broker-dealers are no exception. Firms should consider their business continuity and emergency preparedness plans and determine if any additions, modifications or updates are required.