US Bancorp

October 18, 2002

From: Director, Business Continuity
To: Jennifer J. Johnson
Secretary, Board of Governors of the Federal Reserve System
20th Street and Constitution Ave. NW
Washington, DC 20551
Docket No. R-1128

Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mail Stop 1-5
Washington, DC 20219
Docket No. 02-13

Jonathan G. Katz
Secretary, Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609
File No S7-32-02

Response to: Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System

Dear Regulators:

US Bancorp appreciates the opportunity to respond to the "Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" white paper. This response is on behalf of US Bancorp and its subsidiaries, Piper Jaffray and Nova Information Systems. We have commented on the areas solicited by the paper and included questions it prompted.

  1. Scope of application.

    1. Have agencies excluded any critical markets?

        A: Further definition of "critical markets" is needed. Regulators should formally notify institutions of the specific requirements applying to them, the timeframe to comply and resulting penalties for non-compliance. Perhaps guidelines for an Industry Impact Analysis (vs. a Business Impact Analysis) would be beneficial in determining inclusion in critical markets.

        We encourage the regulators to consider the substantial cost that will be incurred by firms included in `critical markets" and "core cleaning and settlement organizations" and, therefore, required to comply with the new regulations. If a subset of financial institutions have to provide a higher level of business recovery, for the benefit of the entire financial industry, there should be some financial compensation for those organizations.

        Is there an impact or cost/benefit analysis associated with the definition of inclusion in these categories? Is there any planned reimbursement vehicle to help institutions fund compliance with the new regulations?

    2. Have the agencies sufficiently defined the term "core clearing and settlement organizations" for such organizations to identify themselves?

        A: "Core clearing and settlement organizations" is not sufficiently specific. Does core clearing and settlement refer to entities involved in stock market operations only, or does it also refer to clearing and settlement in credit card processing operations, for example? Perhaps a broad definition of clearing and settlement organizations should be considered, such as, "A clearing and settlement organization would be defined in general terms as an organization that initiates or receives monetary settlement each and every business day and is contractually obligated to do so with external customers".

    3. Have the agencies provided sufficient guidance for firms to determine whether they play "significant roles in critical financial markets?"

        A: No. It is not understood how far-reaching the business-to-business or business-to-vendor dependency chain goes, when addressing critical markets, or what thresholds determine participation. Do regulations address relationships with providers of infrastructure, such as telecommunications vendors, with single points of failure?

    4. Should the agencies establish an average daily dollar volume (e.g., $20 billion, $50 billion, $150 billion or some larger amount) or a market share test (e.g., 3, 5, 7, 10 percent market share or some larger amount) as a benchmark for either or both of these categories?

    5. Should such benchmarks differ by market or activity?

        A: Again, a "one size fits all" approach may not sufficiently address the intent of this effort or correctly identify participants. Threshold guidelines with respect to intent would be helpful.

    6. In some market segments, there are geographic concentrations of primary and backup facilities of firms with relatively small market shares. Should sound practices take into consideration the geographic concentration of the backup sites of firms that as a group could play a significant role in critical markets?

        A: Regulatory guidance in this area, also, would be helpful. Is the intent of this paper to address impact as an industry or a firm, and under what conditions? Will there be any regulatory guidance concerning the ratio of firms to recovery site, with respect to any geographic area?

    7. One of the reasons core clearing organizations are expected to recover and resume is that there are no effective substitutes that can assume their critical activities; is this also true for some or all firms that play significant roles in critical markets?

        A: Again, a clarification of "critical markets" is requested.

    8. Does the paper's definition of a "wide-scale, regional disruption" provide sufficient guidance for planning for wide-scale, regional disruptions?

    9. Is there a need to provide some sense of duration of a wide-scale, regional disruption? If so, what should it be?

        A: Further clarification of the risk analysis leading to a "Wide-scale Regional Disruption" is needed. Previous risk analysis does not support the preparation for massive regional loss due to accident or natural disaster, unilaterally. If the premise for a new level of preparation is the intentional disruption of infrastructure, then more specific risks to the infrastructure need to be identified, to narrow the focus of mitigation. That is, is it acceptable to conduct a risk analysis specific to each of the infrastructure components, independent of an arbitrary geographic radius, and plan contingencies accordingly? Are there other specific threats dictating a minimal geographic envelope for all, such as, nuclear, chemical or biological attacks, that are deemed relevant to this response?

  2. Recovery and Resumption of Critical Activities.

    1. Sound practice seems to require firms that play significant roles in critical markets to establish recovery targets of four hours after an event for their critical activities. Is this a realistic and achievable recovery-time objective? If not, what should it be?

    2. Sound practice seems to require core clearing and settlement organizations to establish recovery targets of two hours for their critical activities. Is this a realistic and achievable recovery-time objective?

    3. Should recovery- and resumption-time objectives differ according to critical markets?

        A: Two to four hour recovery time objectives for large-scale critical activities are not achievable with current technology, given that primary and back-up processing sites must also be physically separated by long distances, i.e., more than about 20 miles. Two to four hour recovery time objectives for large-scale critical activities are achievable with current technology at distances of 20 miles or less.

        A recovery time objective should be determined based on the results of a Business Impact Analysis. Agencies should release more specific guidelines on conducting a Business Impact Analysis with respect to intent of strengthening resilience, or, as suggested earlier, an Industry Impact Analysis.

  3. Sound Practices.

    1. Have agencies sufficiently described expectations regarding out-of-region resources?

        A: Staffing for primary versus back-up sites should be addressed to cover the risk of personnel loss concurrent with site loss. However, is it reasonable, again, to drive all business recovery and resumption planning on the assumption of wide-scale, regional disruptions.

    2. Should minimum distance from primary sites be specified ? What factors should be used to identify a minimum distance?

    3. Should the agencies specify other requirements (e.g., back-up sites not be dependent on the same labor pools or infrastructure components, including power grid, water supply and transportation systems)?

    4. Are there alternative arrangements within a region that would provide sufficient resilience in a wide-scale regional disruption?

        A: Geographic area, alone, may not be criteria for defining a wide-scale region. There is mitigation to the disruption of regional infrastructure within the Twin Cities metropolitan area, as Minneapolis and St. Paul have redundancy in transportation, telecommunications, water and power.

        The white paper focuses heavily on wide-scale, regional disruptions as background for new business recovery and resumption expectations. This assumption drives long-distance primary versus back-up site separation.

        The assumption of wide-scale, regional disruptions should be questioned. Specific threat profiles may indicate that much shorter distance separation between primary and back-up sites could be acceptable. Requirements for long distances between primary and back-up sites and short recovery time objectives dramatically increase the cost of disaster recovery. We expect a substantial financial impact in meeting out-of-region expectations and would appreciate any insight into the cost benefit analysis and subsidy plans for compliance. Looking back to 9/11/2001, which seems to be driving this new regulatory initiative, businesses affected typically recovered operations within very short distances from the affected area.

  4. Timetable for Implementation.

    1. To ensure that enhanced business continuity plans are sufficiently coordinated among participants in critical markets, should specific implementation timeframes be considered?

    2. Is it reasonable to expect firms to achieve sound practices within the next few years?

    3. Should agencies specify an outside date for achieving sound practices to accommodate those firms that may require more time to adopt sound practices in a cost-effective manner?

    4. Would such distant dates communicate a sufficient sense of urgency for addressing the risk of a wide-scale regional disruption?

        A: As previously stated, out-of-region recovery, within the timeframes defined, is technically infeasible with current technology. With regard to labor pools, 180 days from the time the agencies release their final views is not sufficient time to implement this. This would incur significant expenditures of time and resources that would make quick implementation prohibitive. The organization would need to consider options such as cross training existing employees to support critical functions, agreements with employment agencies to provide qualified personnel in the event of a disaster, etc. Urgency must coincide with realistically achievable dates.

Thank you for considering the comments of US Bancorp on these critically important issues. If you have any questions or comments, please feel free to contact me at (651) 205- 1749 or at michael.rattigan@usbank.com.

Sincerely,

Michael B. Rattigan
Director, Business Continuity
US Bancorp, Piper Jaffray, and Nova Information Systems