As part of our efforts to keep you up to date on important business continuity standards, we offer the following...
guidance on FINRA (Financial Industry Regulatory Authority) Rule 4370, which is considered its emergency preparedness rule.
When approved in 2009, FINRA Rule 4370 consolidated NYSE Rule 446 and NASD Rules 3510 and 3520. The rule requires that member firms "establish and maintain business continuity plans that are reasonably designed to enable the firm to meet its obligations to clients in the event of a sudden business disruption." The rule requires that firms conduct an annual review of their plans to determine whether modifications are necessary in light of material changes to their operational environment. Finally, the rule requires firms to provide FINRA with emergency contact information.
If your organization is in the financial sector, following Rule 4370's format and structure will help your organization not only be prepared for potential disruptive events, but also be prepared for FINRA audits.
The structure of Rule 4370 is consistent with good practice within the business continuity industry, and can be mapped to domestic (e.g., NFPA 1600) and international (e.g., ISO 22301:2012) standards. Nowhere does FINRA mention these particular standards; therefore, it is essential that as a financial institution you follow FINRA 4370 first, and then incorporate additional items from other standards as needed. Below, you'll find summaries of the rule's sections.
FINRA 4370 sections
Section (a) -- States each FINRA member must prepare a BC plan that will ensure the institution can meet its obligations to its customers.
Section (b) -- States that each member must update the plan when any material changes occur, and must also conduct an annual review of the plan to ensure it meets the organization's requirements.
Section (c) -- Lists 10 criteria that each plan must address. The amount of detail provided is the responsibility of the financial institution. Examples of reporting items include: data backup and recovery; identification of mission-critical systems; alternate arrangements for locating employees; alternate means of communicating with customers; regulatory reporting; and ensuring members will have access to their funds in an emergency.
Section (d) -- States that a member of the senior management team is responsible for the plan and for its annual review.
Section (e) (this differs from most BC plans) -- States that members must disclose to their customers how their BC plan addresses the possibility of a "future significant business disruption" and how the member plans to respond to events of varying scope. FINRA adds that it is not necessary to provide customers with a copy of their BC plans, only summary-level information. Here's an example of such a disclosure statement.
Section (f) -- States that members must report emergency contact information to FINRA; specifically, a minimum of two employees must be identified as contact points for FINRA. One of these must be a senior manager and registered principal of the firm.
Section (g) -- Defines two key terms in the standard: "mission-critical system" and "financial and operational assessment".
Tips for effectively using FINRA Rule 4370
If you already have a business continuity plan in place, examine it carefully to ensure it is compliant with the items covered in Rule 4370, and update it as needed to ensure compliance.
Be sure to regularly review and update plan information, especially emergency contact data.
Check the FINRA BC website regularly, as it contains highly useful materials:
- Frequently asked questions (FAQ)
- Small-firm BC plan template (a particularly useful document, as it includes sample text you can use to build the content of your plan)
- BC plan case study
- Several other useful background documents
Perform all the traditional activities you associate with business continuity planning, e.g., risk assessments, business impact analyses, team descriptions and roles, awareness and training, recovery strategy definitions, exercises and plan audits.
The key takeaways are: 1) keeping the plan current, 2) performing an annual plan review, 3) maintaining an up-to-date contact list, and 4) preparing a disclosure statement to customers.
For this last requirement, FINRA stipulates that members are required only to summarize the manner in which their BCPs address the possibility of significant business disruptions. Firms are not required to disclose the specific location of any backup facilities, any proprietary information contained in the BCP, or the parties with whom the firm has backup arrangements.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at email@example.com.
FINRA head advises financial services regulation reform
Financial pros not following FINRA social media guidance, survey says