Rich text Print
  • 19-06 FINRA Requests Comment on the Effectiveness and Efficiency of Its Rule on Business Continuity Plans and Emergency Contact Information; Comment Period Expires: April 26, 2019

    View PDF

    Retrospective Rule Review

    Regulatory Notice
    Notice Type

    Request for Comment
    Suggested Routing

    Compliance
    Legal
    Operations
    Senior Management
    Systems
    Key Topics

    Business Continuity Plans
    Cybersecurity
    Emergency Contact Information
    Referenced Rules & Notices

    FINRA Rule 4370
    NTM 04-37
    Regulatory Notice 09-59
    Regulatory Notice 09-60

    Summary

    FINRA is conducting a retrospective review of Rule 4370 (Business Continuity Plans and Emergency Contact Information), FINRA's emergency preparedness rule, to assess its effectiveness and efficiency. This Notice outlines the general retrospective rule review process and seeks responses to several questions related to firms' experiences with this specific rule.

    Questions regarding this Notice should be directed to:

    •   Jeanette Wingler, Associate General Counsel, Office of General Counsel (OGC), at (202) 728-8013 or Jeanette.Wingler@finra.org;
    •   Sarah Kwak, Assistant General Counsel, OGC, at (202) 728-8471 or Sarah.Kwak@finra.org;
    •   Lori Walsh, Deputy Chief Economist, Office of the Chief Economist (OCE), at (202) 728-8323 or Lori.Walsh@finra.org; or
    •   Meghan Burns, Associate Principal Analyst, OCE, at (202) 728-8062 or Meghan.Burns@finra.org.

    Action Requested

    FINRA encourages all interested parties to comment. Comments must be received by April 26, 2019.

    Comments must be submitted through one of the following methods:

    •   Emailing comments to pubcom@finra.org; or
    •   Mailing comments in hard copy to:

    Jennifer Piorko Mitchell
    Office of the Corporate Secretary
    FINRA
    1735 K Street, NW
    Washington, DC 20006-1506

    To help FINRA process comments more efficiently, persons should use only one method to comment.

    Important Notes: All comments received in response to this Notice will be made available to the public on the FINRA website. In general, FINRA will post comments as they are received.1

    Background & Discussion

    FINRA believes that it is appropriate, after a reasonable period of time, to look back at its significant rulemaking to determine whether a FINRA rule or rule set2 is meeting its intended investor-protection objectives by reasonably efficient means. FINRA further believes that a retrospective review should include a review not only of the substance and application of a rule or rule set, but also FINRA's processes to administer the rules. FINRA conducts retrospective rule reviews on an ongoing basis to ensure that its rules remain relevant and appropriately designed to achieve their objectives, particularly in light of environmental, industry and market changes.

    In conducting the review of Rule 4370, FINRA staff will follow a similar process to previous retrospective rule reviews. In general, the review process consists of an assessment and action phase. During the assessment phase, FINRA will evaluate the efficacy and efficiency of the rule or rule set as currently implemented, including FINRA's internal administrative processes. FINRA will seek input from affected parties and experts, including its advisory committees, subject-matter experts inside and outside of the organization, and other stakeholders, including industry members, investors, interested groups and the public. FINRA staff will assess issues including the existence of duplicative, inconsistent or ineffective regulatory obligations; whether market or other conditions have changed to suggest there are ways to improve the efficiency or effectiveness of a regulatory obligation without loss of investor protections; and potential gaps in the regulatory framework.

    Upon completion of this assessment, FINRA staff will consider appropriate next steps, which may include some or all of the following: modifications to the rule, updated or additional guidance, administrative changes or technology improvements, or additional research or information gathering.

    The action phase will then follow. To the extent action involves modification of rules, FINRA will separately engage in its usual rulemaking process to propose amendments to the rules based on the findings. This process will include input from FINRA's advisory committees and an opportunity for comment on specific proposed revisions in a Regulatory Notice or rule filing with the SEC, or both.

    Request for Comment

    Rule 4370 is the successor rule to NASD Rules 3510 (Business Continuity Plans) and 3520 (Emergency Contact Information).3 After the events of September 11, 2001, FINRA closely studied the securities markets and industry's recovery capability to assess whether any regulatory action would be needed to assure swift recovery in the event of any future significant business disruptions. As a result of that study, FINRA (then NASD) adopted in 2004 NASD Rules 3510 and 3520 to help ensure that member firms would be able to continue their business operations in the event of such disruptions. In 2009, FINRA adopted those rules, without substantive change, as Rule 4370 in the consolidated FINRA rulebook.4

    Rule 4370 requires a member firm to create, maintain, annually review and update upon any material change a written business continuity plan identifying procedures relating to an emergency or significant business disruption. While each member firm needs to conduct its own risk analysis to determine where critical impact points and exposures exist within the firm and with its counterparties and suppliers, significant business disruptions for purposes of business continuity planning may include, among other things, natural disasters, pandemics, terrorist attacks and cyber events.5 In addition, member firms that heavily leverage technology for their business systems and infrastructure may have an increased risk of significant business disruptions associated with cyber events and technology-related disruptions.

    Each member firm has flexibility to tailor the business continuity plan to the size and needs of its business, provided that the plan addresses the enumerated minimum elements to the extent applicable and necessary to the firm. The rule also requires each member firm to disclose (at a minimum, in writing at account opening, by posting on its website, and by mailing upon request) to its customers how the business continuity plan addresses the possibility of a future significant business disruption and how the member firm plans to respond to events of varying scope.

    In addition, Rule 4370 requires each member firm to provide (and promptly update upon any material change) to FINRA prescribed emergency contact information for the member firm. This requirement is intended to ensure that FINRA has a reliable means of contacting each member firm in the event of an emergency. The rule requires the member firm to designate two associated persons as emergency contact persons, at least one of whom is a member of senior management and a registered principal of that firm. If a member firm designates a second emergency contact person who is not a registered principal, the rule requires the person to be a member of senior management who has knowledge of the member firm's business. For a member firm with only one associated person (e.g., a sole proprietorship), the second emergency contact person may be an individual, either registered with another firm or nonregistered, who has knowledge of the member firm's business operations, such as the firm's attorney, accountant or clearing firm contact.

    FINRA seeks answers to the following questions with respect to these rules:

    1. Has the rule effectively addressed the problem(s) it was intended to mitigate? To what extent has the original purposes of and need for the rule been affected by subsequent changes to the risk environment, the markets, the delivery of financial services, the applicable regulatory framework or other considerations? Are there alternative ways to achieve the goals of the rule that FINRA should consider?
    2. What has been your experience with implementation of the rule, including any ambiguities in the rule or challenges to comply with it?
    3. What have been the economic impacts, including costs and benefits, of creating, maintaining or updating a business continuity plan? To what extent do the costs and benefits have a disproportionate impact on firms based on size and business model? Has the rule led to any negative unintended consequences?
    4. Can FINRA make the rule, guidance or attendant administrative processes more efficient and effective?
    5. Have you ever needed to activate your BCP and if so, was it effective? Please describe the circumstances that led to the activation of your BCP.
    6. How do you determine what may constitute a significant business disruption? To what extent do you address specific types of significant business disruptions in your BCP (e.g., cyber events, terrorist attacks, pandemics or natural disasters)?
    7. What other rules, if any, conflict with or get in the way of business continuity planning?
    8. To what degree does your business or BCP rely on vendors or other external providers? Would the rule be more effective if it addressed expectations around additional diligence into vendor resiliency?

    In addition to comments responsive to these questions, FINRA invites comment on any other aspects of the rule that commenters wish to address. FINRA further requests any data or evidence in support of comments. While the purpose of this Notice is to obtain input as to whether or not the current rule is effective and efficient, FINRA also welcomes specific suggestions as to how the rule should be changed. As discussed above, FINRA will separately consider during the action phase specific changes to the rules.


    1. Persons submitting comments are cautioned that FINRA does not redact or edit personal identifying information, such as names or email addresses, from comment submissions. Persons should submit only information that they wish to make publicly available. See Notice to Members 03-73 (November 2003) (Online Availability of Comments) for more information.

    2. A rule set is a group of rules identified by FINRA staff to contain a similar subject, characteristics or objectives.

    3. See Exchange Act Release No. 49537 (Apr. 7, 2004), 69 Fed. Reg. 19586 (Apr. 13, 2004) (SEC Notice of Order Approving File No. SR-NASD-2002-108). See also Notice to Members 04-37 (May 2004).

    4. See Exchange Act Release No. 60534 (Aug. 19, 2009), 74 FR 44410 (Aug. 28, 2009) (Order Granting Accelerated Approval of Proposed Rule Change, as Modified by Amendment No. 1; File No. SR-FINRA-2009-036) (approving the adoption, without material change, of NASD Rule 3510 (Business Continuity Plans) and NASD Rule 3520 (Emergency Contact Information) as FINRA Rule 4370). See also Regulatory Notice 09-60 (Oct. 2009).

    5. See, e.g., Regulatory Notice 09-59 (Oct. 2009) and FINRA's Small Firm Business Continuity Plan Template [http://www.finra.org/industry/small-firm-business-continuity-plan-template]. See also FINRA's Business Continuity Planning FAQ 16 [http://www.finra.org/industry/faq-business-continuity-planning-faq].