The Securities and Exchange Commission (SEC) recently approved a rule requiring each brokerage member to create and maintain a business continuity plan.
Rule 3510 requires that each member's plan identify "reasonably designed" procedures that will enable it to meet its existing obligations to customers in the event of an emergency or significant business disruption. The rule also requires that a member furnish its business continuity plan promptly if requested by the staff of the National Association of Securities Dealers, Inc. (NASD).
On April 7, 2004, the Securities and Exchange Commission (SEC) approved the new NASD Rule 3500 Series, which requires members to establish emergency preparedness plans and procedures.
Securities and Exchange Commission, 4/7/2004
Rule 3510 also requires each brokerage member to update its plan in the event of any material change to the member's operations, structure, business, or location. An annual review of the member's business continuity plan is also required.
Because of the diversity of members' business and operations, the plan requirements are flexible and should be tailored to address the size and needs of each member. However, each plan must, at a minimum, address how the member will ensure prompt access to customers' funds and securities in the event that it is unable to continue its business. The plan must also address the following key areas:
- Data back-up and recovery
- All mission-critical systems
- Financial and operational assessments
- Alternate communications between the member and its customers
- Alternate communications between the member and its employees
- Alternate physical location of employees
- Critical business constituent, bank, and counter-party impact
- Regulatory reporting
- Communications with regulators
Rule Effective Dates:
Rule 3510 - Clearing Firms: August 11, 2004
Rule 3510 - Introducing Firms: September 10, 2004
Rule 3520 - All Firms: June 14, 2004
Section D within Rule 3510 requires each member to designate a member of senior management, who is also a registered principal, to approve the plan and be responsible for conducting the annual review. The review does not require the member of senior management to personally conduct all aspects of the review; however, he or she must review the final plan, including any proposed changes to the existing plan.
Emergency Contact Information Required
Rule 3520 requires members to provide NASD with emergency contact information and to update any information upon the occurrence of a material change. The rule requires members to designate two emergency contact persons whom NASD may contact in the event of a significant business disruption. Each emergency contact person must be a registered principal and a member of senior management.
NASD, through an outside vendor, will provide a repository service for members' business continuity plans. This service is intended to provide members with a place outside of their firms to store copies of business continuity plans.
Clearing firms must comply with Rule 3510 beginning August 11, 2004, while introducing firms have until September 10, 2004. All firms must comply with Rule 3520 beginning June 14, 2004. As the deadlines for compliance with the new rules approach, executives within brokerage firms should be asking themselves questions such as:
- When was the last time our business continuity plans were reviewed? If NASD asks for our plans in September, would we be able to provide them?
- What material changes have we experienced since our plan was reviewed?
- Have we recently exercised our business continuity plans to ensure we are able to resume operations efficiently and in a timely manner?
- Do our employees know their roles if we have to implement our plans?
- Have we reviewed the business continuity plans of our vendors and suppliers?
- Do our business continuity plans address our relationships with other broker-dealers and counter-parties?
- Is our current plan compliant with Rule 3510? If not, how do we quickly become compliant?
- Which executive should hold overall responsibility for our business continuity plans?
- Who are the two executives whose names and contact information will be provided to NASD as our firm's emergency contacts?
- Can we rely on our plan to effectively recover mission critical business functions in the event of a business disruption?
One of the critical lessons learned from the events of September 11, 2001, is the need for more rigorous business continuity planning in the financial services industry. Since September 11, the resilience of the U.S. securities markets has been a matter of principal concern to the SEC and to other regulators.
For example, in April 2003, the SEC, together with the Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System, issued the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. It noted that, “because of the interdependent nature of the U.S. financial markets, all financial firms have a role in improving the overall resilience of the financial system. It therefore is appropriate for all financial firms to review their business continuity plans…”
The Risk Consulting Practice at Marsh can help you implement a business continuity plan to become compliant with Rule 3510 and Rule 3520. We have had a long-standing relationship with regulatory entities and industry groups and have helped to shape best-practices guidance and implementation standards. At Marsh, we have helped many organizations develop and implement plans that have met regulatory requirements, and, most importantly, have worked as designed in real-life situations.
If you have any questions or would like additional information, please contact us.
