IPR International LLC
November 7, 2002
Jonathan G. Katz, Secretary
RE: Draft Interagency White Paper on Sound Practices to Strengthen
Dear Mr. Katz:
On behalf of IPR International LLC, I am pleased to submit the following comments on the Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. As a Company that provides a suite of electronic storage services to companies throughout the world, IPR International LLC (IPR) has a vital interest in the integrity and vitality of America's financial system and, hence in the development of sound practices to strengthen the ability of financial institutions to recover and resume critical business activities in the event of wide-scale, regional disruptions.
At the outset, IPR commends the four agencies, Board of Governors of the Federal Reserve System; Office of the Comptroller of the Currency; Securities and Exchange Commission and New York State Banking Department for their willingness to listen to stakeholders and receive comments on proposed sound practices.
IPR International LLC is an industry leader in electronic vaulting and recovery services. Through a comprehensive suite of data storage and document management solutions, IPR provides automatic live backup, simple point-and-click restore procedures, as well as long and short term online, near-line and deep archiving document storage. IPR serves clients worldwide.
The lesions of the last year from not only September 11, 2001, but also the Arthur Andersen debacle are that the responsibility for safe guarding company records, and in particular the digital data of a company, should not be delegated to non-senior executives of a company. Time and time again, IPR encounters companies that have lost data and the reason for lost data is that the "tech" person was given the responsibility of determining not only how data should be stored and protected, but also given responsibility of deciding what data should be stored and protected. Therefore, our first comment is that best practices requires that decisions regarding data protection and recovery must be made at the highest levels of a company and responsibility for failure to adequately address these issues should fall on shoulders of senior executives. The resilience of the American financial system should not be delegated down to managers in IT departments.
We have listed questions posed in white paper and have provided responses to each.
Scope of application
Have the agencies excluded any critical markets?
Yes, utilities, such as electric and telecommunications must be a part of solution. If their recovery is inadequate then the recovery target will be unachievable.
Have the agencies sufficiently defined the term "core clearing and settlement organizations" for such organizations to identify themselves?
Have the agencies provided sufficient guidance for firms to determine whether they play "significant roles in critical financial markets?"
Are there other measures or additional facts or circumstances that should be used to determine whether a firm plays a significant role or acts as a core clearing organization?
Should the agencies establish an average daily dollar volume (e.g., $20 billion, $50 billion, $150 billion or some larger amount), or a market share test (e.g., 3, 5, 7, 10 percent market share or some larger amount), as a benchmark for either or both of these categories? Should such benchmarks differ by market or activity?
The benchmark should differ by market or activity. A market share test should be used.
In some market segments, there are geographic concentrations of primary and back-up facilities of firms with relatively small market shares. Should sound practices take into consideration the geographic concentration of the back-up sites of firms that as a group could play a significant role in critical markets?
Yes. Firms can take advantage of economies of scale by storing their data at the same facility and with the same vendor but the facility should be located outside region.
One of the reasons core clearing organizations are expected to recover and resume is that there are no effective substitutes that can assume their critical activities; is this also true for some or all firms that play significant roles in critical markets?
Yes. The firms are dependent on each other and the failure of even a small firm could roll into a systemic failure of the system. With the technical advances in data storage, bandwidth and data storage software, even small firms have the financial ability to have a very quick recovery and hence should be required to meet recovery time goals.
Should any firms that play significant roles in critical markets be required to meet an intra-day standard for recovery and resumption because of the size of their market share or volume, or the significance of the services they perform for other firms (e.g., as a correspondent bank or clearing broker) in clearing and settling material amounts of transactions and large-value payments?
No, all firms should be required to meet an intra-day standard.
Does the paper's definition of a "wide-scale, regional disruption" provide sufficient guidance for planning for wide-scale, regional disruptions?
No, it would be better to have a geographic measurement. For example, a regional disruption is defined as an event that prevents access to within 50 miles of facilities.
Is there a need to provide some sense of duration of a wide-scale, regional disruption? If so, what should it be?
Yes, if it is anticipated that disruption will last more than a specific amount of time, the recovery plan should be activated.
Recovery and Resumption of Critical Activities.
Have the agencies identified the critical activities needed to recover and resume operation in critical markets?
No. Support services such as utilities are not identified.
Is there a need to define the term "material" in this context? If so, what should be used?
Sound practice seems to require firms that play significant roles in critical markets to establish recovery targets of four hours after an event for their critical activities. Is this a realistic and achievable recovery-time objective for firms that play significant roles in critical markets? If not, what would be?
Similarly, sound practice seems to require core clearing and settlement organizations to establish recovery and resumption targets of two hours for critical activities. Is this a realistic and achievable resumption-time objective for core clearing and settlement organizations?
Should recovery-and resumption-time objectives differ according to critical markets?
Have the agencies sufficiently described expectations regarding out-of-region back-up resources?
No, there does not appear to be any standards for what an adequate back-up facility should look like.
Should some minimum distance from primary sites be specified for back-up facilities for core clearing and settlement organizations and firms that play significant roles in critical markets (e.g., 200-300 miles between primary and back-up sites)?
Yes, the distance should be at least 50 miles and further depending how regional disruption is defined.
What factors should be used to identify such a minimum distance? Should the agencies specify other requirements (e.g., back-up sites not be dependent on the same labor pools or infrastructure components, including power grid, water supply and transportation systems)?
Yes, the minimum distance should be at least 50 miles.
Are there alternative arrangements (i.e., within a region) that would provide sufficient resilience in a wide-scale, regional disruption? What are they?
Yes, electronic data storage (caveat: a service IPR provides) would enable employees within the disrupted region to have data transmitted electronically to part of a region that has not been adversely affected.
Are there other arrangements that core clearing and settlement organizations should consider, such as common communication protocols that would provide greater assurance that critical activities will be recovered and resumed?
Yes, common communication protocols should be considered.
Timetable for Implementation
To ensure that enhanced business continuity plans are sufficiently coordinated among participants in critical markets, should specific implementation timeframes be considered?
Yes, within one year.
Is it reasonable to expect firms that play significant roles in critical financial markets to achieve sound practices within the next few years?
Yes, should be within one year.
Should the agencies specify an outside date (e.g., 2007) for achieving sound practices to accommodate those firms that may require more time to adopt sound practices in a cost-effective manner?
No, failure of even a small firm can result in disruption for the entire system.
Would such distant dates communicate a sufficient sense of urgency for addressing the risk of a wide-scale, regional disruption?
No, that is why the date must be within a year.
IPR appreciates this opportunity to present its views on the Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. Any questions on IPR's views should be directed to Frank J. Real, Chief Financial Officer, IPR International, LLC. Real may be contacted at 610.238.0280.