Business Continuity Plans (BCPs)

Regulatory Obligations

FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires firms to create and maintain a written BCP with procedures that are reasonably designed to enable firms to meet their obligations to customers, counterparties and other broker-dealers during an emergency or significant business disruption.¹⁰ The rule also requires firms to review and update their BCPs, if necessary, in light of changes to firms’ operations, structure, business or location. Further, although most introducing firms rely, to some extent, on their clearing firms to allow customers to access their accounts and enter transactions, they are responsible for compliance with the BCP rule.

Noteworthy Examination Findings

FINRA found some firms encountering challenges where their BCPs did not reflect certain market conditions, business models or other circumstances.

• Incomplete Mission-Critical Systems – Some firms’ BCPs did not identify all of their mission-critical systems. Omitted systems included those used for order management for trading desks, or vendor systems that processed and managed financing transactions, such as securities lending and repurchase agreements.
• Insufficient Capacity – Some larger firms did not have sufficient capacity to handle substantially increased call volumes and online activity during a business disruption, which affected customers’ ability to access their accounts.
• No Updates for Operational Changes – Some firms did not update their BCPs after significant operational changes, such as outsourcing critical operational functions, relocating data centers or replacing other key systems, including trading desk order management systems or other systems that are critical to firms’ business lines.
• Outdated Contact Information – Some firms’ BCPs contained outdated emergency contact information and did not identify how customers could access their funds and securities during a business disruption.
• Local Document Storage – Some firms allowed employees to maintain critical working documents on their computers’ local drives rather than requiring that they be stored on the firms’ network. Firms should review their controls to test whether these files would be secure and readily accessible.
• No Registered Principal Registrations – Some senior management personnel, who were responsible for performing the annual BCP review, did not maintain the required registered principal registration.¹¹

Effective Practices

Firms implement a number of effective practices to fulfill their obligations under the rule, especially those relating to testing of their BCP plans.

• Engaging in Annual Testing – Firms tested their BCPs as part of their annual review to confirm that the BCP was updated, and to evaluate its effectiveness, especially with respect to the functioning of mission-critical systems and processes, availability of key personnel and access to physical contingency site location(s). As part of these tests, some firms assessed their remote access capabilities to such systems, as well as evaluated and documented their ability to failover from one server to another. Firms also included key vendors in their BCP tests and documented results from those tests.
• Incorporating Test Results into Firm Training – Firms found these tests can be a valuable tool, not only to identify weaknesses in their BCPs, but also to train staff on how to implement the program, should that become necessary.

Additional Resources

• Regulatory Notice 19-06 (FINRA Requests Comment on the Effectiveness and Efficiency of Its Rule on Business Continuity Plans and Emergency Contact Information)
• Regulatory Notice 19-15 (FINRA Publishes Consolidated Criteria to Designate Firms for Mandatory Participation in FINRA’s Business Continuity/Disaster Recovery Testing)
• Business Continuity Plan FAQs
• Small Firm Business Continuity Plan Template
• Business Continuity Planning Topic Page