Notice of Filing of Proposed Rule Change by the National Association of Securities Dealers, Inc. Relating to Business Continuity Plans and Emergency Contact Information
Securities and Exchange Commission
(Release No. 34-46444; File No. SR-NASD-2002-108)
August 30, 2002
Self-Regulatory Organizations; Notice of Filing of Proposed Rule Change by the National Association of Securities Dealers, Inc. Relating to Business Continuity Plans and Emergency Contact Information
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 ("Act"),1 and Rule 19b-4 thereunder,2 notice is hereby given that on August 7, 2002, the National Association of Securities Dealers, Inc. ("NASD") filed with the Securities and Exchange Commission ("SEC" or "Commission") the proposed rule change as described in Items I, II, and III below, which Items have been prepared by NASD. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons.3
I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change
NASD is proposing a rule change to require member firms to create and maintain business continuity plans and supply NASD with certain information to be used in the event of future significant business disruptions. Below is the text of the proposed rule change. Proposed new language is in italics.
Rule 3500. EMERGENCY PREPAREDNESS
Rule 3510. Business Continuity Plans
(a) Each member must create and maintain a written business continuity plan identifying procedures to be followed in the event of an emergency or significant business disruption. The business continuity plan must be made available promptly upon request to NASD staff.
(b) Each member must conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business or location.
(c) The requirements of a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must at a minimum, address:
(1) Data back-up and recovery (hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between customers and the member;
(5) Alternate communications between the member and its employees;
(6) Business constituent, bank and counter-party impact;
(7) Regulatory reporting; and
(8) Communications with regulators.
(d) For purposes of this rule, the following terms shall have the meanings specified below:
(1) "Mission critical system" means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
(2) "Financial and operational assessment" means a set of written procedures that allows a member to identify changes in its operational, financial, and credit risk exposures.
Rule 3520. Emergency Contact Information
(a) Each member shall report to NASD, via such electronic or other means as NASD may require, prescribed emergency contact information for the member. The emergency contact information for the member includes designation of two emergency contact persons. Each emergency contact person shall be a member of senior management and a registered principal of the member.
(b) Each member must update its emergency contact information, via such electronic or other means as NASD may require, in the event of any material change, but at a minimum must review the information contained therein twice a year to ensure its accuracy.
II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
In its filing with the Commission, NASD included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. NASD has prepared summaries, set forth in Sections A, B, and C below, of the most significant aspects of such statements.
A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
The purpose of the proposed rule change is to help to ensure that NASD members will be able to continue their business in the event of future significant business disruptions. In the wake of the events of September 11, 2001, the securities markets and industry showed an impressive ability to recover and continue their business. Given the events of this period, NASD examined the industry's recovery capability in greater detail to determine whether any regulatory action was needed to assure swift recovery in the event of any future significant business disruptions. Based upon these findings, NASD is proposing a rule change that will require members to create and maintain business continuity plans and supply NASD with emergency contact information. NASD believes that this proposed rule change is essential to investor protection and market integrity.
NASD Survey Initiative
To fully understand the ability of members to respond to significant business disruptions, such as those resulting from the tragedy of September 11th, NASD surveyed 150 randomly selected member firms and 120 of the largest member firms. The 150 firms chosen to participate in the survey represent a statistically random sample of the entire NASD membership (approximately 5,600 NASD members) proportionately separated into the three categories of introducing, clearing/self-clearing, and specialty products firms. In addition, NASD selected 120 of the largest member firms to survey based on the number of registered persons associated with the firm. These firms collectively represent 70 percent of the registered representative population. The survey questions sent to the 120 large firms were identical to those sent to the 150 randomly selected firms. The results received from the survey sent to the larger firms are distinct from the random sample results and do not overlap.
As further detailed below, the survey revealed many encouraging results. At the same time, the survey showed that a significant number of the randomly selected NASD member firms do not have business continuity plans in place. In addition, a significant number of smaller and mid-sized firms do not store back-up data and systems in a geographically separate location from their primary systems and records. Approximately two-thirds of the randomly selected firms and almost all of the larger firms can recover data from a remote site. Further, less than half of the randomly selected firms and three-fourths of the larger firms have back-up facilities in place that have the capacity to handle the same volume of trading as the primary facility. Nearly all member firms perform daily or weekly back-up of records.
Not surprisingly, the maintenance of trading and investor records by a clearing firm for an introducing firm is common. Financial records, however, are less likely to be maintained by a correspondent's clearing firm. Although clearing firms do maintain certain records for introducing firms, over one-fourth of the introducing firms reported that there are significant records that are not kept at their clearing firm. This was confirmed by clearing firms. The survey results showed that approximately 85 percent of the larger firms have back-up systems to accommodate investor communications between the firm and its customers. In comparison, less than half of the randomly selected firms maintain such systems. Almost three-fourths of the larger firms and less than one-fourth of the randomly selected firms maintain Internet Web sites that allow for customer transactions and emergency communications with investors.
Importantly, the survey also focused on the capability of firms following the September 11th tragedy to ensure that customers had access to their accounts. Very few firms reported that their customers were unable to execute securities transactions in their accounts when the markets became operational following the September 11th tragedy.
The survey examined the ability of NASD members to communicate with key staff during a significant business disruption. Virtually all of the randomly selected firms and the larger firms maintain a readily available list of contact information for the purpose of locating and communicating with key staff during a significant business disruption. In addition, approximately three-fourths of the randomly selected firms and almost all of the larger firms maintain a readily available list of contact information for clearance and settlement organizations, banks, counter-parties, key business relationships, and regulators.
Finally, the survey questioned whether it would be helpful for NASD to serve as a central repository for firms' business continuity plans and emergency contact numbers for key organizations (e.g., Securities and Exchange Commission, Depository Trust & Clearing Corporation, National Securities Clearing Corporation, and Federal Reserve Bank). A substantial number of firms responded that a repository service would be helpful.
NASD Proposed Rules
Rule 3510. Business Continuity Plan Requirement
Based upon the survey findings, discussions with the SEC and the United States General Accounting Office, the experiences of September 11th, and comment letters received in response to Notice to Members 02-23 (April 2002) ("NtM 02-23"), NASD believes that member firms should be required to create and maintain business continuity plans. The proposed rule change recognizes that business continuity plans should reflect the particular operations and activities of a member. Given the diverse nature of the NASD membership, the proposed rule change allows member firms to tailor plans to suit their size, business, and structure. The proposed rule change, however, requires that a member's business continuity plan must, at a minimum, address:
- data back-up and recovery (hard copy and electronic);
- mission critical systems;
- financial and operational assessments;
- alternate communications between customers and the member;
- alternate communications between the member and its employees;
- business constituent, bank and counter-party impact;
- regulatory reporting; and
- communications with regulators.
The proposed rule change defines "mission critical system" as any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts, and the delivery of funds and securities. This definition is materially consistent with the SEC's definition of "mission critical system" in its Year 2000 Rule.4
Under the proposed rule change, plans must be made available to NASD staff for inspection during routine examinations and promptly upon request by NASD staff. The proposed rule change requires that each member conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location. In addition, modifications may be necessary due to significant changes in technology that affect a member's operations or business.
NASD also will offer a voluntary repository service for members' business continuity plans. In the event that a member is unable to gain access to its business continuity plan, the member using the repository service could contact NASD staff to obtain a copy of its plan. Similarly, if NASD could not contact a particular firm due to a disaster, it would have a greater opportunity to protect investors and the marketplace, and address concerns, if it had the firm's plan on file. A reasonable, but yet undetermined, fee will be charged to those that opt to take advantage of this service.
Rule 3520. Emergency Contact Information
NASD's experience in the aftermath of September 11th confirms that NASD needs a fully reliable means of contacting firms in the event of an emergency. The proposed rule change would require NASD members to file and keep current with the NASD certain key information that would be of particular importance during significant business disruptions, including:
- emergency contact information for key staff;
- identification of two designated contact persons;
- location of books and records (including back-up locations);
- clearance and settlement information;
- identification of key banking relationships; and
- alternative communication plans for investors.
To lessen any burden imposed by the proposed rule change, NASD intends initially to collect the emergency contact information through the Member Firm Contact Questionnaire on the NASD Web-Site. Pursuant to Article IV, Section 3 of the NASD By-Laws, NASD members are required to appoint an executive representative to represent, vote, and act for the member in nearly all of the affairs of NASD. An NASD member must appoint an executive representative and update contact information for the executive representative via the Member Firm Contact Questionnaire on the NASD Web site. At this point in time, NASD believes that amending the questionnaire, rather than creating a new form or pursuing amendments to Form U-4 or Form BD, minimizes any regulatory burden placed on NASD members and limits the costs associated with supplying NASD with emergency contact information. Finally, the proposed rule change requires NASD members to update their emergency contact information in the event of any material change, and at a minimum to review the information twice a year, to ensure its accuracy.
Finally, NASD anticipates issuing additional guidance, including a template, to assist firms in satisfying obligations under the proposed rule change.
2. Statutory Basis
NASD believes that the proposed rule change is consistent with the provisions of Section 15A(b)(6) of the Act,5 which requires, among other things, that the NASD's rules must be designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, and, in general, to protect investors and the public interest. NASD believes that the proposed rule change will help to ensure that members are prepared for significant business disruptions, and that it is consistent with the Act.
B. Self-Regulatory Organization's Statement on Burden on Competition
NASD Regulation does not believe that the proposed rule change would result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act.
C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received from Members, Participants, or Others
The proposed rule change was published for comment in NtM 02-23. Seventeen comment letters were received in response to the Notice. Of the 17 comment letters received, 14 were in favor of the proposed rule change and 3 were opposed. The specific concerns raised by commenters are addressed below.
Categories of a Member Firm's Business Continuity Plan
A few commenters to NtM 02-23 believed that the enumerated categories for a member's business continuity plan were over-inclusive. NASD, however, believes that the categories strike an appropriate balance between ensuring that a member's plan adequately addresses all key areas of its business and allowing a member firm to tailor its plan to its specific size, business, and structure. Further, each member's business continuity plan will only be required to address the eight listed categories stated in proposed NASD Rule 3510(c)(1-8) to the extent applicable and necessary. For example, if a member does not maintain customer accounts at its firm, the member's plan should indicate this fact in its plan.
One commenter to NtM 02-23 stated that NASD should review individual plans to ensure adequacy. In contrast, another commenter indicated that NASD should not review individual plans for adequacy. NASD will limit its review of a member firm's business continuity plan to whether the plan addresses the eight listed categories stated in proposed NASD Rule 3510(c)(1-8). The nature of the review will ensure that NASD is not micro-managing the business operations of each individual firm while ensuring that each plan addresses certain basic areas to protect the investing public and integrity of the markets.
Definition of Mission Critical System
One commenter to NtM 02-23 believed that the definition of "mission critical system" should include infrastructure. While the term infrastructure is not expressly included in the definition of "mission critical system," NASD believes that infrastructure is fully addressed through the definition of "mission critical system" because the rule's purpose is to help to ensure that a member firm will have the ability to continue business during a significant business disruption. As a result, any damage to any infrastructure that affects a member's ability to conduct business because of its effect on a mission critical system must be addressed in any plan.
Definition of Financial and Operational Assessments
Based upon comment letters received in response to NtM 02-23, NASD has amended the definition of "financial and operational assessment." In NtM 02-23, NASD defined "financial and operational assessment" as "a procedure created by a firm to test and determine the firm's capability to conduct business." The new definition states that financial and operational assessment means "a set of written procedures that allows a member firm to identify changes in its operational, financial, and credit risk exposures." Operational risk focuses on the firm's ability to maintain communications with customers and to retrieve key activity records through its "mission critical systems." Financial risk relates to the firm's ability to continue to generate revenue, and obtain new or retain adequate financing and sufficient equity. In addition to the possibility of experiencing operating losses, the value of the firm's investments may deteriorate due to the lack of liquidity in the broader market, which would also hinder the ability of the firm's counter-parties to fulfill their obligations. A firm would be expected to periodically assess the changes in these exposures, and quickly make such an assessment in connection with a significant business disruption. The procedures should be written and implemented to reflect the interrelationship among these risks. NASD believes that the new definition and guidance contain the appropriate level of specificity to assist members in creating their business continuity plans.
Proposed Rule Change's Applicability to Subsidiaries
One comment letter raised a concern over whether a parent corporation would need to create a business continuity plan for each subsidiary member firm or whether the parent corporation could institute a corporate-wide business continuity plan. NASD believes that a subsidiary member firm may satisfy its obligations under the proposed rule change by participation in a corporate-wide business continuity plan of a parent corporation that addresses its subsidiary member firms. As a result, a subsidiary member firm may rely on the corporate-wide business continuity plan of its parent corporation regardless of whether the parent corporation is a member or non-member. The parent corporation's business continuity plan, however, must comply fully with proposed NASD Rule 3510 and address all requirements under the proposed rule change. In addition, the parent and subsidiary corporations must both comply with NASD rules on record-keeping and supervision for purposes of proposed NASD Rule 3510. Finally, the parent corporation must grant NASD access to its business continuity plan upon request.
Updating Business Continuity Plans
The proposed rule change requires that each member conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location. A comment letter received from the Securities Industry Association ("SIA") stated that the duty to update should only be triggered by changes in the nature of a member's business and other material factors. In addition, another commenter suggested that plans might need to be updated more frequently based on changes in technology. NASD believes that it is good business practice for members to update their business continuity plans each time there is a material change but that a regulatory requirement for this would be unduly burdensome. Accordingly, the proposed rule change requires members to annually update their business continuity plans.
SIA also pointed out that the duty to update a business continuity plan may implicate NASD rules on record keeping and supervision. Members must document and keep records of the annual review or any modification to their business continuity plan in accordance with NASD record keeping requirements. In addition, when updating plans, the member must conduct the review in accordance with NASD rules on supervision.
Comments received in response to NtM 02-23 indicated substantial support for a voluntary repository filing service for member's business continuity plans. Ameritrade, Inc. commented that it was concerned about the confidentiality of proprietary information under this service. NASD intends that all proprietary information contained in a member firm's business continuity plan and held by NASD through its repository service will remain confidential unless the information is otherwise publicly available or NASD is required to disclose the information by subpoena or otherwise by law. In addition, since NASD is subject to oversight by the SEC, it will provide the SEC with access to business continuity plans held by NASD.
Burden on Small Firms
Three commenters were concerned about the burden that the proposed rule change would have on small firms. Given the flexibility of the rule and the recognition given to the diverse nature of the NASD membership, NASD believes that small firms will be able to comply with the rule through reasonable efforts and cost. Importantly, the rule should not require firms to hire outside consultants to create business continuity plans. In addition, NASD anticipates issuing future guidance, including a template, to assist member firms, particularly small firms, in creating their own business continuity plans.
Emergency Contact Information
Originally, the proposed rule only required a member to designate one emergency contact person. In light of comments received in response to NtM 02-23, NASD has changed the requirements under the proposed rule to include two emergency contact persons. NASD believes that designating two persons will increase the likelihood that, in the event of a significant business disruption, NASD staff will be able to contact the member firm.
In addition, SIA commented that NASD should proactively query firms for contact information. NASD, however, believes that this duty should lie with the member firm because the member will be best able to identify when a material change has taken place. Further, SIA commented that NASD should provide contacts for member firm problems. NASD believes that it has already established avenues for member firms to contact NASD in the event of a significant business disruption. For example, the NASD Web site provides phone numbers for members to call with any questions.
III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action
Within 35 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding, or (ii) as to which the self-regulatory organization consents, the Commission will:
A. by order approve such proposed rule change, or
B. institute proceedings to determine whether the proposed rule change should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Persons making written submissions should file six copies thereof with the Secretary, Securities and Exchange Commission, 450 Fifth Street, NW, Washington, DC 20549-0609. Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room. Copies of such filing will also be available for inspection and copying at the principal office of the NASD. All submissions should refer to File No. SR-NASD-2002-108 and should be submitted no later than 21 days from the date of publication in the Federal Register.
For the Commission, by the Division of Market Regulation, pursuant to delegated authority.6
Margaret H. McFarland
1 15 U.S.C. 78s(b)(1).
2 17 CFR 240.19b-4.
3 The Commission notes that the New York Stock Exchange, Inc. ("NYSE") has proposed a substantially similar business continuity plan rule (File No. SR-NYSE-2002-35). The Commission intends to notice concurrently both the NASD proposal and the NYSE proposal. The Commission further notes that, while the NASD rule would potentially apply to dual NASD and NYSE members, the similarity of the NASD and NYSE proposed rules should prevent conflicting compliance obligations on the part of such dual members.
4 See 17 CFR 240.15b7-3T(g)(1).
5 15 U.S.C. 78o-3(b)(6).
6 17 CFR 200.30-3(a)(12).