The Financial Industry Regulatory Authority (FINRA) recently released a regulatory notice requesting comment on the effectiveness and efficiency of Rule 4370 (Business Continuity Plans and Emergency Contact Information). The comment period expires April 26.
Rule 4370 requires a member firm to create, maintain, annually review and update upon any material change a written business continuity plan (BCP) identifying procedures relating to an emergency or significant business disruption. Each member firm may tailor its BCP to the size and needs of its business, provided that the plan addresses the enumerated minimum elements to the extent applicable and necessary to the firm. The rule also requires each member firm to disclose to its customers how the BCP addresses the possibility of a future significant business disruption and how the member firm plans to respond in the event thereof.
In addition, Rule 4370 requires each member firm to provide FINRA with prescribed emergency contact information for the member firm. This requirement is intended to ensure that FINRA has a reliable means of contacting each member firm in the event of an emergency.
As part of its review, FINRA seeks answers to the following questions with respect to these rules:
- Has the rule effectively addressed the problem(s) it was intended to mitigate? To what extent has the original purposes of and need for the rule been affected by subsequent changes to the risk environment, the markets, the delivery of financial services, the applicable regulatory framework or other considerations? Are there alternative ways to achieve the goals of the rule that FINRA should consider?
- What has been your experience with implementation of the rule, including any ambiguities in the rule or challenges to comply with it?
- What have been the economic impacts, including costs and benefits, of creating, maintaining or updating a BCP? To what extent do the costs and benefits have a disproportionate impact on firms based on size and business model? Has the rule led to any negative unintended consequences?
- Can FINRA make the rule, guidance or attendant administrative processes more efficient and effective?
- Have you ever needed to activate your BCP and if so, was it effective? Please describe the circumstances that led to the activation of your BCP.
- How do you determine what may constitute a significant business disruption? To what extent do you address specific types of significant business disruptions in your BCP (e.g., cyber events, terrorist attacks, pandemics or natural disasters)?
- What other rules, if any, conflict with or get in the way of business continuity planning?
- To what degree does your business or BCP rely on vendors or other external providers? Would the rule be more effective if it addressed expectations around additional diligence into vendor resiliency?
A copy of the notice, which details the requirements of Rule 4370 and how to comment, is available here.