Comments on NASD Rulemaking
Self-Regulatory Organizations; Notice of Filing of Proposed Rule Change by the National Association of Securities Dealers, Inc. Relating to Business Continuity Plans and Emergency Contact Information
(Release No. 34-46444; File No. SR-NASD-2002-108)
The following information on Letter Type A,
Letter Type A:
Re: File No. SR-NASD-2002-108
Thank you for giving us the opportunity to comment on File No. SR-NASD-2002-108, Notice of Filing Amendment Nos. 4 and 5 to a Proposed Rule Change by the National Association of Securities Dealers, Inc. Relating to Business Continuity Plans and Emergency Contact Information.
We agree with the general proposition that members should create and maintain business continuity plans and provide the NASD with certain information to be used in the event of future significant business disruptions. We also believe, however, that certain portions of the amendments lack the clarity necessary for the amendments to achieve their stated goals. We also believe that this lack of clarity may unintentionally create significant additional burdens on members that are not outweighed by benefits. It is respectfully submitted that the amendments as proposed will not achieve their stated objectives and that intentions stated in the clarifying language following the proposed amendments should be part of the actual proposed rule. Further, the proposed rule may result in unnecessary added burdens to members.
The Proposed Rule Amendment is Vague and Ambiguous
Proposed NASD Rule 3510(a) Amendment
In an attempt to clarify that NASD Rule 3510(a) does not create a new obligation for members to continue their business, the proposed amendment replaces "continue its business in the event of future significant business disruptions" with "meet its existing obligations to customers. In addition, such procedures must address the memberís existing relationships with other broker-dealers and counter-parties."
The statement "meet its existing obligations to customers" is significantly vague and does not adequately clarify that members are not required to continue their business. The statement "address the existing relationships with other broker-dealers and counter-parties" is also unclear. It does not clearly define what level of detail is required in the business continuity plan to meet the requirements of the new language. In addition, that sentence appears to add additional requirements to the contents of the required business continuity plan rather than clarifying that members are not required to remain in business as a result of proposed Rule 3510(a).
A suitable alternative to the proposed language would be to leave the initially proposed language in place ("continue its business in the event of future significant business disruptions.") and to add some of the language stated in the clarifying materials to the rule itself. This might include adding additional language following the original sentence that would:
a) state that this does not create a new obligation on a member to continue its business after a significant business disruption;
b) re-emphasize that the member has the autonomy to choose to cease its operations at any time, provided it does so in a manner consistent with applicable laws and Commission and NASD rules, and;
c) state the rule is also intended to ensure that members have adequate procedures in place to assure customersí prompt access to their funds and securities in the event of future significant business disruptions or the memberís cessation of business.
Proposed NASD Rule 351O(c) Amendment
The proposed rule amendment to Rule 351O(c)(6) attempts to clarify that members do not have to address all 3rd party business relationships in their business continuity plans, only those that the member deems critical. To accomplish this, the proposed rule amendment adds "critical" in front of business constituents, banks, and counter-parties." The definition of "critical" is unclear in the amended language. It has not been defined in proposed Rule 351O(f), although "mission critical systems" have been defined there. In addition, the definitions of the terms used in the original language, "business constituents, banks and counter-parties" have not been defined in the proposed rule, leaving the intent of the original rule language vague and ambiguous.
A suitable alternative to the proposed language of 3510(c)(6) would be to:
a) Define "critical" in the proposed rule to be consistent with the definition of "mission critical" that was used to aid members in identifying critical systems that must be addressed in the business continuity plan.
b) In addition to a) above, re-word 3510(c)(6) to read: "3rd" parties supporting mem bers critical business functions and/or mission critical systems". This would clarify the confusion surrounding the definitions of business constituents, banks, and counter-parties while still addressing the intent of the proposed rule - to include alternatives to these entities in the members business continuity plan.
Even with the alternative changes suggested above, the expectation of the NASD under proposed Rule 3510(c)6 remains unclear from the Rule as it is worded. The comments following the rule include several clarifying statements. These statements should be reviewed and potentially added to the proposed rule amendments in order to further clarify the NASDís expectations1.
The Proposed Rule Amendment Will Not Achieve Its Stated Goal
Proposed NASD Rule 3510(e) Amendment
The amendment adds the following language to the proposed rule, "Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the memberís Internet Web site (if the member maintains a Web site), an mailed to customers upon request."
Business continuity plans contain a significant amount of extremely proprietary and confidential information. Disclosure of the details of alternative business plans to the public would expose a firmís critical functions, contingency plans, and confidential and proprietary information which could result in substantial unnecessary loss or damage to the member, significantly outweighing the benefits of the disclosure.
In the comments following the rule amendment, however, the NASD does acknowledge that its intent was not to have the members disclose their actual plans, but that "each member would be required only to create a summary of how its plan addresses the possibility of significant business disruptions and disclose the memberís general planned responses to significant business disruptions..."
The proposed rule language should at a minimum be amended to clearly state that the member would be required to provide a general summary of their business continuity plan to the public and that the summary should not contain any proprietary or confidential information or information that could otherwise be damaging to the member firm or its associated 3rd parties if exposed to the public.
It is our contention, however, that even if the proposed rule amendment was amended further as we suggest above, the amendment would still not achieve its stated goal.
The NASDís stated purpose of this additional language in the rule amendment is that "The NASD believes that this requirement would enable investors to make an educated decision about whether to place the funds and securities at the specific member based on the firmís business continuity planning and would also deter members from creating plans that do not adequately address contingency planning."
We believe that by eliminating the confidential and proprietary information from the business continuity plan, the resulting summary statements of all the members would be reduced to such generic statements that they would be significantly similar and as such, would not help customers make an informed decision on whether or not to place funds and securities with a particular firm over another firm.
In addition, the summary level of the plans would not achieve the NASDís additional objective of "deter[ring] members from creating plans that do not adequately address contingency planning". Further, we believe the NASD has sufficiently deterred the members from developing inadequate plans with language already contained in the proposed rule that states "The business continuity plan must be made available promptly upon request to the NASD staff."
For the reasons outlined above we recommend that proposed rule 351O(e) amendment be removed, or at a minimum, be amended as indicated earlier in this letter.
Compliance with the Rule Amendment Would Be Costly
Proposed NASD Rule 351O(e) Amendment
In addition to not achieving its stated goal, proposed rule 351O(e) would be significantly costly to members. The requirement of the amendment to deliver the business continuity plan to customers at account opening adds significant cost to the member that outweighs the benefits of disclosing a general business continuity statement to the customer for events that rarely occur. In addition, we believe the customer currently receives substantial information at account opening and as more information is added, the import of the information becomes lost and the customer becomes increasingly frustrated with the lengthy account opening process.
The Proposed Rule Amendment Contains Unnecessary Restrictions
Proposed NASD Rule 3520(b) Amendment
The proposed amendment to 3520(b) states that "Furthermore, members must have adequate controls and procedures to ensure that only the Executive Representative may perform the review and update." It is unnecessary to require that the Executive Representative physically perform the update to the NASD contact information. We agree that the member should have procedures in place to ensure that an Executive Representative review and approve the review and update. There should be no restrictions in place, however, that prohibit an assistant or employee reporting to the Executive Representative from physically performing the update that the Executive Representative approved.
A suitable alternative would be to reword the proposed language to be, "Furthermore, members must have adequate controls and procedures to ensure the Executive Representative performs the review and approves the update."
For the reasons set forth above, we believe that modifications should be made to proposed NASD Rule 3510 and 3520 amendments. We respectfully request that the proposed rule amendments be updated to clarify portions of 3510(a), (c) and (f), and 3520(b) as outlined above. In addition, we respectfully request that the NASD remove the proposed 351O(e) amendment. Should 351O(e) be implemented, we respectfully request that the rule language be altered to state that summary, non-proprietary information be provided to the public versus the detailed business continuity plan, and that confidential or information that may be damaging to the member or its 3rd parties be excluded. We further request that the language be changed to eliminate the requirement to deliver the business continuity statement to the customer at account opening.