View Whole SectionText only Print Print Manager Link
Previous Next

04-37 SEC Approves Rules Requiring Members to Create Business Continuity Plans and Provide Emergency Contact Information

View PDF file

GUIDANCE

Business Continuity Plans

Effective Dates:

Rule 3510: Clearing Firms: August 11, 2004

Introducing Firms: September 10, 2004
Rule 3520: All Firms: June 14, 2004

SUGGESTED ROUTING

KEY TOPICS

Legal/Compliance
Operations
Senior Management

Business Continuity Plans
Contingency Planning
Emergency Contact Information
Mission Critical Systems
Rule 3510
Rule 3520

Executive Summary

On April 7, 2004, the Securities and Exchange Commission (SEC) approved the new NASD Rule 3500 Series, which requires members to establish emergency preparedness plans and procedures.1 Rule 3510 requires each member to create and maintain a business continuity plan and enumerates certain requirements that each plan must address. The Rule further requires members to update their business continuity plans upon any material change and, at a minimum, to conduct an annual review of their plans. Each member also must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. Rule 3520 requires members to designate two emergency contact persons and provide this information to NASD via electronic process.

The Rule 3500 Series, Emergency Preparedness, is included in this Notice as Attachment A. NASD's Small Introducing Firm Template will be available at www.nasdr.com/business_continuity_planning.asp.

Questions/Further Information

Questions regarding this Notice may be directed to Daniel M. Sibears, Senior Vice President & Deputy, Member Regulation, Regulatory Policy and Oversight (RPO), (202) 728-6911; or Shirley H. Weiss, Associate General Counsel, Office of General Counsel, RPO, at (202) 728-8844.

Discussion

Rule 3510. Business Continuity Plans

NASD Rule 3510 requires each member to create and maintain a business continuity plan. Each member's plan must identify procedures relating to an emergency or significant business disruption that are "reasonably designed to enable the member to meet its existing obligations to customers." In addition, such procedures must address the member's existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to NASD staff.

Updating Requirement

Rule 3510(b) requires each member to update its plan in the event of any material change to the member's operations, structure, business, or location. Each member must also conduct an annual review of its plan to determine if any updates are needed in light of any changes to the member's operations, structure, business, or location.

Elements of a Plan

The Rule recognizes the diversity of members' business and operations. Accordingly, the requirements of a plan are flexible and should be tailored to the size and needs of each member. However, each plan must, at a minimum, address the following ten key areas:

(1) Data back-up and recovery (hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between the member and its customers;
(5) Alternate communications between the member and its employees;
(6) Alternate physical location of employees;
(7) Critical business constituent, bank, and counter-party impact;
(8) Regulatory reporting;
(9) Communications with regulators; and
(10) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.

Each member's plan must address the above-listed categories only to the extent applicable and necessary. At the same time, the above-listed categories are not exhaustive; members should address other key areas for their plans to be complete and thorough based on their business and operations.

NASD understands that the business of some members may not touch upon each of the categories and that members may not perform certain of the "mission critical systems" functions. If a member does not include a specified category in its plan, the member's business continuity plan must document the rationale for its absence. Similarly, if a member relies on another entity for any one of the above-listed categories or any mission critical system, the member's business continuity plan must explain the relationship with the other entity in its plan. Even where members rely on another entity to perform certain functions, members must still create specific procedures to follow in light of a significant business disruption. If, for example, a clearing firm maintains customer funds and securities on behalf of an introducing firm, the introducing firm must create its own procedures and may not merely state that the firm does not hold customer funds or securities.

NASD also understands that many introducing firms may rely on their clearing firms for most mission critical systems and the maintenance of certain books and records. As such, introducing firms may need access to information contained within its clearing firm's business continuity plan. NASD strongly encourages all clearing firms to grant their introducing firms access to their plans or create an executive summary of their plan that is relevant for the introducing firm.

Plan Approval

Rule 3510(d) requires each member to designate a member of senior management who is also a registered principal to approve the plan and be responsible for conducting the required annual review. The review does not require the member of senior management to personally conduct all aspects of the review; however, he or she must review the final plan, including any proposed changes to the existing plan.

While a single designated member of senior management must approve the final plan, the member firm remains responsible for compliance with Rule 3510. Senior management approval is intended only to ensure that a person with proper authority reviews the plan, and not to make one person responsible for a member's compliance with Rule 3510.

Data Back-Up and Recovery (Hard Copy and Electronic)

One of the categories that members' business continuity plans must address is "data back-up and recovery (hard copy and electronic)." NASD notes that the Rule does not mandate that members keep book and records (and back-up books and records) in both hard copy and electronic formats. Members should refer to SEC and NASD rules and interpretative materials that specifically address record retention requirements, including SEC Rule 17a-4 and NASD Rule 3110, to determine which records (and in what format) firms must retain.

Mission Critical Systems

For purposes of Rule 3510, NASD defines "mission critical system" as "any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities." This definition is substantially similar to the SEC's definition of "mission critical system" in its Y2K Rules.

Financial and Operational Assessments

Rule 3510(c)(3) defines "financial and operational assessments" as "a set of written procedures that allows a member to identify changes in its operational, financial, and credit risk exposures." Operational risk focuses on the firm's ability to maintain communications with customers and to retrieve key activity records through its "mission critical systems." Financial risk relates to the firm's ability to continue to generate revenue and to retain or obtain adequate financing and sufficient equity. In addition, an eroding financial condition could be exacerbated or caused by a deterioration in the value of the firm's investments due to the lack of liquidity in the broader market, which would also hinder the ability of the firm's counter-parties to fulfill their obligations. A firm would be expected to periodically assess changes in these exposures, quickly assess the situation, and take appropriate action relative to a significant business disruption. Members' procedures should be written and implemented to reflect the interrelationship among these risks.

Critical Business Constituent, Bank, and Counter-Party Impact

Members must have procedures that assess the impact that a significant business disruption would have on critical business constituents (businesses with which a member firm has an ongoing commercial relationship in support of the member's operating activities), banks (lenders), and counter-parties (e.g., other broker-dealers or institutional customers). In addition, members must provide for alternative actions or arrangements with respect to their contractual relationships with business constituents, banks, and counter-parties in the event of a material business disruption to either party. In short, the Rule requires a member to assess the effect of a significant business disruption on its business constituents, banks, and counter-parties and decide appropriate actions if faced with any such situation. The Rule, however, permits each member to adopt an approach in dealing with its business constituents, banks, and counter-parties that is best suited to the member's particular operations, structure, business, and location.

Members initially will be responsible for identifying those relationships that they deem critical for purposes of complying with the Rule. However, as NASD gains experience in working with the Rule, it may decide to enumerate specific relationships that it views as critical to all members.

Prompt Access to Funds and Securities

Rule 3510(c)(10) requires each member to address how it will assure customers' prompt access to their funds and securities in the event that the member determines it is unable to continue its business. If a member has customers, the member must detail the procedures it will employ to ensure customer access to funds and securities. If a member believes that Securities Investor Protection Corporation (SIPC) rules may affect its response to this subsection, the member should address SIPC rules in its plan. NASD further notes that members may not rely on SIPC membership, by itself, to satisfy their obligations under Rule 3510(c)(10) because SIPC involvement in the liquidation of a broker-dealer is limited to SIPC's authority under the Securities Investor Protection Act of 1970.

Disclosure Requirements

Rule 3510(e) requires each member to disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. In addressing the events of varying scope, NASD believes that each member should: (1) provide specific scenarios of varying severity (e.g., a firm-only business disruption, a disruption to a single building, a disruption to a business district, a city-wide business disruption, and a regional disruption); (2) state whether it plans to continue business during that scenario and, if so, its planned recovery time; and (3) provide general information on its intended response. The disclosure must, at a minimum, be made in writing to customers at account opening, posted on the member's Web site (if the member maintains a Web site), and mailed to customers upon request.

Members must disclose the existence of back-up facilities and arrangements. Members, however, need not disclose the following factors: the specific location of any back-up facilities; any proprietary information contained in the plan; and the parties with whom the member has back-up arrangements. Members may include cautionary language in their business continuity plans indicating that such plans are subject to modification, that updated plans will be promptly posted on the member's Web site, and that customers may alternatively obtain updated plans by requesting a written copy of the plan by mail.

Applicability to Subsidiaries

A subsidiary member firm may satisfy its obligations under Rule 3510 by participating in a corporate-wide business continuity plan of a parent corporation that addresses its subsidiary member firms, even if the parent corporation is not an NASD member. However, if a subsidiary relies on the plan of a non-member parent corporation, the subsidiary member must ensure that the parent's business continuity plan complies with Rule 3510 and addresses all requirements under the Rule.

Importantly, the member also remains responsible for complying with all requirements of Rule 3510. Among other things, the member must designate a member of senior management, who must be a registered principal, to approve the parent's plan (as it applies to the member), conduct an annual review of the plan, and require the plan to be updated as necessary to meet all of the requirements of Rule 3510. The registered principal will also be responsible for requiring the parent to update the plan in the event of any material change to the member's operations, structure, business, or location. The member must comply with the disclosure requirements set forth in Rule 3510(e). In addition, the member must retain a copy of the parent's plan in accordance with applicable federal securities laws and NASD rules, and make it promptly available to NASD staff upon request.

Rule 3520. Emergency Contact Information

Rule 3520 requires members to provide NASD with emergency contact information and to update any information upon the occurrence of a material change. The Rule requires members to designate two emergency contact persons that NASD may contact in the event of a significant business disruption. Each emergency contact person must be a registered principal and a member of senior management. In the case of a member that has only one principal, the second emergency contact person should be another firm employee. In the case of a sole proprietorship with only one employee, the second emergency contact may be an individual, either registered with another firm or non-registered, who has knowledge of the member's business operations, such as the member's attorney, accountant, or clearing firm contact.

In the event of a material change, each member must promptly update its emergency contact information, via such electronic or other means as NASD may require. In addition, the member's Executive Representative, or his or her written designee, must review and, if necessary, update the member's emergency contact information within 17 business days after the end of each calendar quarter. This update must include any change to the designation of the two emergency contact persons. Furthermore, members must have adequate controls and procedures to ensure that only the Executive Representative, or his or her written designee, may perform the review and update. Members must provide this information through NASD's Contact System (NCS) (formerly known as the NASD Member Firm Contact Questionnaire or NMFCQ) at www.nasdr.com/ncs.asp.

Repository Service

NASD, through an outside vendor, will provide a repository service for members' business continuity plans. This service is intended to provide members with a place outside of their firm to store a copy of their business continuity plan. Members will be charged a fee of $10–15 per month for use of the repository service, although this fee is subject to change.


1 See Securities Exchange Act Release No. 49537 (Apr. 7, 2004), 69 Fed. Reg. 19586 (Apr. 13, 2004) (SEC Notice of Order Approving File No. SR-NASD-2002-108).


Attachment A

Proposed new language is underlined.

* * * * * * * * * *

3500. EMERGENCY PREPAREDNESS

3510. Business Continuity Plans

(a) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member's existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to NASD staff.
(b) Each member must update its plan in the event of any material change to the member's operations, structure, business or location. Each member must also conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location.
(c) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must at a minimum, address:
(1) Data back-up and recovery (hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between customers and the member;
(5) Alternate communications between the member and its employees;
(6) Alternate physical location of employees;
(7) Critical business constituent, bank, and counter-party impact;
(8) Regulatory reporting;
(9) Communications with regulators; and
(10) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
Each member must address the above-listed categories to the extent applicable and necessary. If any of the above-listed categories is not applicable, the member's business continuity plan need not address the category. The member's business continuity plan, however, must document the rationale for not including such category in its plan. If a member relies on another entity for any one of the above-listed categories or any mission critical system, the member's business continuity plan must address this relationship.
(d) Members must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review. The member of senior management must also be a registered principal.
(e) Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member's Internet Web site (if the member maintains a Web site), and mailed to customers upon request.
(f) For purposes of this rule, the following terms shall have the meanings specified below:
(1) "Mission critical system" means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
(2) "Financial and operational assessment" means a set of written procedures that allow a member to identify changes in its operational, financial, and credit risk exposures.

3520. Emergency Contact Information

(a) Each member shall report to NASD, via such electronic or other means as NASD may require, prescribed emergency contact information for the member. The emergency contact information for the member includes designation of two emergency contact persons. Each emergency contact person shall be a member of senior management and a registered principal of the member.
(b) Each member must promptly update its emergency contact information, via such electronic or other means as NASD may require, in the event of any material change. Each member must review and, if necessary, update its emergency contact information, including designation of two emergency contact persons, within 17 business days after the end of each calendar quarter to ensure the information's accuracy. The member's Executive Representative, or his or her designee, which designation must be in writing, must conduct such review and any update. Furthermore, members must have adequate controls and procedures to ensure that only the Executive Representative, or his or her written designee, may perform the review and update.

Previous Next