View Whole SectionText only Print Print Manager Link
Previous Next

02-23 The NASD Seeks Comment On Proposed Rules Relating To Member Firm Business Continuity Plans And Emergency Contact Information

View PDF File

Business Continuity Plans

Action Requested By: May 13, 2002

SUGGESTED ROUTING

KEY TOPICS

Executive Representative
Institutional
Internal Audit
Legal & Compliance
Operations
Registration
Senior Management
Systems

Business Continuity
Disaster Recovery
Emergency Preparedness



Executive Summary

The NASD is seeking comment from NASD members, investors, and other interested parties on proposed rules that would require members to create and maintain business continuity plans. Following the events of September 11th, most member firms were able to resume their business operations relatively quickly. Building upon the lessons learned from September 11th, the NASD is considering steps that member firms can take to ensure that they are prepared for possible future business disruptions. Through an extensive fact gathering process, including a significant survey initiative, the NASD obtained a wealth of data on the business continuity plans of NASD member firms.

The NASD is seeking comment on whether to require members to create and maintain business continuity plans. Further, the NASD is soliciting comment on whether the NASD should, through the Member Firm Contact Questionnaire, collect additional information about member firms to assist the NASD in the event of future significant business disruptions.

Action Requested

The NASD encourages all members, investors, and interested parties to comment. Comments can be submitted using the following methods:

1) mailing in checklist (Attachment B);
2) mailing in written comments;
3) e-mailing written comments to pubcom@nasd.com; or
4) submitting comments online at NASD Regulation's Web Site (www.nasdr.com).

Written comments should be mailed to:

Barbara Z. Sweeney
Senior Vice President
Office of the Corporate Secretary
NASD Regulation, Inc.
1735 K Street, NW
Washington, DC 20006-1500

The only comments that will be considered are those submitted in writing, either via e-mail, regular mail, or NASD Regulation's Web Site.

Before becoming effective, the NASD Regulation Board of Directors must adopt, and the Securities and Exchange Commission (SEC) must approve, any rule change.

Questions/Further Information

Questions regarding this Notice to Members may be directed to Daniel M. Sibears, Senior Vice President and Deputy, Member Regulation, NASD Regulation, at (202) 728-6911, and Brian J. Woldow, Attorney, Office of General Counsel, NASD Regulation, at (202) 728-6927.

Background And Discussion

In the wake of the events of September 11, 2001, the securities markets and industry showed an impressive ability to recover and continue their business. It is a tribute to the strength of the U.S. financial markets that broker/dealers were able to return to relatively normal operations so quickly. After the events of this period, the NASD decided to examine the industry's recovery capability in greater detail and to determine whether any regulatory action is needed to assure swift recovery in the event of any future significant business disruptions.

NASD Survey Initiative

To fully understand the ability of members to respond to significant business disruptions, such as those resulting from the tragedy of September 11th, the staff surveyed 150 randomly selected member firms and 120 of the largest member firms. The 150 firms chosen to participate in the survey represent a statistically random sample of the entire NASD membership (approximately 5,600 NASD members) proportionately separated into the three categories of introducing, clearing/self-clearing, and specialty products firms. In addition, the staff selected 120 of the largest member firms to survey based on the number of registered persons associated with the firm. These firms collectively represent 70 percent of the registered representative population. The survey questions sent to the 120 large firms were identical to those sent to the 150 randomly selected firms. The results received from the survey sent to large firms are distinct from the random sample and do not overlap.

As further detailed below, the survey revealed many encouraging results. At the same time, the survey showed that a significant number of the randomly selected member firms do not have business continuity plans. In addition, a significant number of smaller and mid-sized firms do not store back-up data and systems in a geographically separate location from their primary systems and records. Approximately two-thirds of the randomly selected firms and almost all of the larger firms can recover data from a remote site. Further, less than half of the randomly selected firms and three-fourths of the larger firms have back-up facilities in place that have the capacity to handle the same volume of trading as the primary facility. Nearly all member firms perform daily or weekly back-up of records.

Not surprisingly, the maintenance of trading and investor records by a clearing firm for an introducing firm is common. Financial records, however, are less likely to be maintained by a correspondent's clearing firm. Although clearing firms do maintain certain records for introducing firms, over onefourth of the introducing firms reported that there are significant records that are not kept at their clearing firm. This was confirmed by clearing firms.

The survey results showed that approximately 85 percent of the larger firms have back-up systems to accommodate investor communications between the firm and its customers. In comparison, less than half of the randomly selected firms maintain such systems. Almost three-fourths of the larger firms and less than one-fourth of the randomly selected firms maintain Internet Web Sites that allow for customer transactions and emergency communications with investors.

Importantly, the survey also focused on the capability of firms following the September 11th tragedy to ensure that customers had access to their accounts. Very few firms reported that their customers were unable to execute securities transactions in their accounts when the markets became operational following the September 11th tragedy.

The survey examined the ability of members to communicate with key staff during a significant business disruption. Virtually all of the randomly selected firms and the larger firms maintain a readily available list of contact information for the purpose of locating and communicating with key staff during a significant business disruption. In addition, approximately three-fourths of randomly selected firms and almost all of the larger firms maintain a readily available list of contact information for clearance and settlement organizations, banks, counterparties, key business relationships, and regulators.

Finally, the survey questioned whether it would be helpful for the NASD to serve as a central repository for firms' business continuity plans and emergency contact numbers for key organizations (e.g., Securities and Exchange Commission, Depository Trust & Clearing Corporation, National Securities Clearing Corporation, Federal Reserve Bank). A substantial number of firms believed a repository service would be helpful.

NASD Proposed Rules

Based upon the survey findings, discussions with the SEC and the Government Accounting Office, and the experiences of September 11th, the NASD is soliciting comment on a proposal that would require member firms to create and maintain business continuity plans. The proposal recognizes that business continuity plans should take into account the particular operations and activities of a member. Based upon the diverse nature of the NASD membership, the proposal allows member firms to tailor plans to suit their size, business, and structure. In particular, the NASD is seeking comment on the scope of business continuity plans. The proposal states that a member's business continuity plan must, at a minimum, address:

  • data back-up and recovery (hard copy and electronic);


  • mission critical systems;


  • financial and operational assessments;


  • alternate communications between customers and the firm;


  • alternate communications between the firm and its employees;


  • business constituent, bank and counter-party impact;


  • regulatory reporting; and


  • communications with regulators.

The proposed rule language defines "mission critical system" as any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including order taking, entry, execution, comparison, allocation, clearance and settlement of securities transa ctions, the maintenance of customer accounts, access to customer accounts, and the delivery of funds and securities. This definition is materially consistent with the SEC's definition of "mission critical system" in its Year 2000 Rule.1

The proposal requires that each member conduct a yearly review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location. The NASD is seeking comment on whether members believe that this requirement is sufficient.

The proposal only requires that plans be available for inspection by NASD staff. The NASD also anticipates offering a voluntary repository service for members' business continuity plans. In the event that a member is unable to gain access to its business continuity plan, the member could contact NASD staff to obtain a copy of its plan. Similarly, if the NASD could not contact a particular firm due to a disaster, it would have a greater opportunity to protect investors and the marketplace, and assist the firm, if it had the firm's plan on file. A reasonable filing fee will need to be charged for this service, but the specific amount of the fee has not yet been determined.

The NASD's experience in the aftermath of September 11th confirms that the NASD needs a fully reliable means of contacting firms in the event of an emergency. As a result, the NASD is soliciting comment on whether the NASD should, through the existing Member Firm Contact Questionnaire, collect additional information about member firms to assist the NASD in the event of future business disruptions. The proposal requires members to file and keep current with the NASD certain key information that would be of particular importance during significant business disruptions, including:

  • emergency contact information for key staff;


  • identification of a designated contact person;


  • location of books and records (including back-up locations);


  • clearance and settlement information;


  • identification of key banking relationships; and


  • alternative communication plans for investors.

To lessen any burden imposed by this proposal, the NASD believes that the emergency contact information should be collected through the Member Firm Contact Questionnaire on the NASD Regulation Web Site. Pursuant to Article IV, Section 3 of the NASD By-Laws, members are required to appoint an executive representative to represent, vote, and act for the member in nearly all of the affairs of the NASD. The member must appoint an executive representative and update contact information for the executive representative via the Member Firm Contact Questionnaire on the NASD Regulation Web Site. Amending the questionnaire, rather than creating a new form or amending Form U-4 or Form BD, would minimize any regulatory burden placed on members and limit the costs associated with supplying the NASD with emergency contact information. Finally, the proposal requires members to update their emergency contact information in the event of any material change, and at a minimum to review the information twice a year, to ensure its accuracy.

NASD Regulation anticipates issuing additional guidance to assist firms in satisfying obligations under any final rules that may result from this proposal.


Endnote

1 See 17 C.F.R. § 240.15b7-3T(g)(1) (2001).


ATTACHMENT A

Text of Proposed Rules

Rule 3500: Emergency Preparedness

Rule 3510: Business Continuity Plans

(a) Members of the Association must create and maintain a written business continuity plan identifying procedures to be followed in the event of an emergency or significant business disruption. The business continuity plan must be made available upon request to NASD staff.
(b) Members must conduct a yearly review of their business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business or location.
(c) The requirements of a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must, at a minimum, address:
(1) Data back-up and recovery (Hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between customers and the firm;
(5) Alternate communications between the firm and its employees;
(6) Business constituent, bank and counter-party impact;
(7) Regulatory reporting; and
(8) Communications with regulators.
(d) "Mission critical system" means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including order taking, entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
(e) "Financial and operation assessments" means a procedure created by a firm to test and determine the firm's capability to conduct business.

Rule 3520: Emergency Contact Information

(a) Members must maintain and supply the NASD with information required by the Member Firm Contact Questionnaire through the NASD Regulation Web Site.
(b) Members must update the Member Firm Contact Questionnaire in the event of any material change, but at a minimum must review the information contained therein twice a year to ensure its accuracy.

ATTACHMENT B

Request For Comment Checklist

We have provided below a checklist that members and other interested parties may use in addition to or in lieu of written comments. This checklist is intended to offer a convenient way to participate in the comment process, but does not cover all aspects of the proposal described in the Notice. We therefore encourage members and other interested parties to review the entire Notice and provide written comments, as necessary.

Instructions

Comments must be received by May 13, 2002. Members and interested parties can submit their comments using the following methods:

  • mailing in this checklist

  • mailing in written comments

  • submitting comments online at the NASDR Web Site (www.nasdr.com)

The checklist and/or written comments should be mailed to:

Barbara Z Sweeney
Senior Vice President
Office of the Corporate Secretary
National Association of Securities Dealers, Inc.
1735 K Street NW
Washington, DC 20006-1500

Business Continuity Plans

1. Should the NASD require members to create and maintain business continuity plans?

Yes No See my attached written comments
2. The proposal requires that a member's business continuity plan, at a minimum, address: (1) data back-up and recovery (hard copy and electronic); (2) mission critical systems; (3) financial and operational assessments; (4) alternate communications between customers and the firm; (5) alternate communications between the firm and its employees; (6) business constituent, bank, and counter-party impact; (7) regulatory reporting; and (8) communications with regulators.

Are these categories over-inclusive?

Yes No See my attached written comments

Are these categories under-inclusive?

Yes No See my attached written comments
3. Does the definition of "mission critical system" adequately address all systems necessary to ensure prompt and accurate processing of securities transactions?

Yes No See my attached written comments
4. Would members benefit from the NASD serving as a repository for members to submit business continuity plans on a voluntary basis?

Yes No See my attached written comments
5. Should members be required to file their plans with the NASD?

Yes No See my attached written comments
6. Would it be helpful for the NASD to issue guidance to assist firms in developing business continuity plans to satisfy their obligations under the proposed rules?

Yes No See my attached written comments
7. Is the requirement that each member conduct a yearly review of its business continuity plan sufficient?

Yes No See my attached written comments

Contact Information

Name:
Firm:
Address:
City/State/Zip:
Phone:
E-Mail:

Are you:

  An NASD Member
  An Investor
  A Registered Representative
  Other:


Previous Next