The Financial Services Roundtable
Jennifer J. Johnson
Secretary, Board of Governors of the Federal Reserve System
20th Street and Constitution Ave., NW
Washington, DC 20551
Docket No. R-1128
Superintendent, New York State Banking Department
2 Rector Street
New York, NY 10006-1894
Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mail Stop 1-5
Washington, DC 20219
Jonathan G. Katz
Secretary, Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609
File No S7-32-02
Re: Comments on Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System
Dear Ladies and Gentlemen:
BITS and The Financial Services Roundtable (FSR) appreciate the opportunity to comment on the "Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" ("white paper") to the Federal Reserve Board of Governors, New York State Banking Department, Office of the Comptroller of the Currency, and the Securities and Exchange Commission. Our comment letter consists of a summary of our members' key concerns in response to the concepts presented in the draft white paper. Following the summary is an addendum, which consists of specific responses to the questions presented in the draft interagency white paper. The last part of our comment letter is a list of BITS and FSR member companies. Please note that many BITS/FSR members also intend to send separate comment letters to their primary regulators.
Background on BITS/FSR
BITS and FSR represent 100 of the largest integrated financial services institutions providing banking, insurance and investment products and services to American consumers and corporate customers. BITS is the technology group for the Roundtable, serving as the strategic brain trust for the financial services industry where commerce, financial services and technology intersect. FSR is an advocacy and lobbying organization, using grassroots power, knowledge and experience to help shape public policy. For a complete listing of member institutions, please see pages 9 and 10 of the addendum.
BITS and FSR members commend the regulators for taking a leadership role by focusing on the importance of business continuity issues generally and for focusing on the considerable risks and threats to the resilience of the financial services infrastructure and our nation's social structure. The agencies have done an excellent job of engaging a dialogue and beginning the process of developing strategies to strengthen the resilience of the U.S. financial system.
Certainly, the tragic events of September 11 and their aftermath underscore the importance of robust business continuity planning. Fortunately, the financial services industry has always taken security, reliability and business continuity issues seriously. The industry's track record is exemplary. One of the reasons that financial institutions were able to resume and maintain financial services so quickly following the events of September 11 was the foundation established through lessons learned from Y2K, in addition to long-standing business practices and regulatory requirements. Even so, additional issues were raised by September 11, many of which are addressed in the white paper.
The financial services industry's dependence on other non-financial sectors was one of the most dramatic lessons learned from September 11. While the recovery process was generally efficient, the financial stability of our nation was threatened because of these specific vulnerabilities and interdependencies. The stakes for the financial services industry, and the nation's economy as a whole, are especially high. While BITS and FSR members continue to work proactively on industry-wide and inter-sector efforts to strengthen our preparedness for-and our ability to react to and recover from-future attacks, a fundamental part of this process involves communication with the regulatory and other relevant federal, state and local agencies to ensure a cooperative and coordinated response to any future events.
BITS/FSR members commend the formation of both the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (the Council) and the Financial and Banking Information Infrastructure Committee (FBIIC). We support the missions of the Council and FBIIC to address many of the issues associated with critical infrastructure protection.
Following are comments on major topics in the white paper. Specific responses to questions within the white paper are included as an addendum to this comment letter. (See attached.)
Risk-Based Approach. BITS/FSR members encourage the agencies to consider providing the best practices as recommendations and guidelines and to defer imposing them as prescriptive requirements in the short-term. This will permit the practices to prove themselves over time, and ensure that these practices are appropriate and effective. This is particularly important given that firms of all sizes and importance to the financial services industry are evaluating the risks as they learn more about their vulnerabilities and cross-institutional dependencies. As knowledge is gained via this risk-based approach, firms will be in an improved position to develop better business continuity plans.
BITS/FSR members strongly believe that the regulators should adopt a more "risk-based" approach and avoid delineating so many specific or pre-determined requirements for business continuity planning purposes. BITS/FSR members urge the regulators to be flexible and allow institutions to develop business continuity plans (including back-up strategies such as mutual arrangements with other institutions) to address the risks of their own greatest concerns, including low probability, high impact scenarios. Any requirements that the regulators adopt should take into account realistic threat assessments that are based on both the probability of occurrence and the impact that would occur should one of those probabilities come to pass. BITS/FSR members agree with the goal to recover the most critical activities or functions and not focus on recovery of an individual disabled facility or system. For example, recovery of critical activities or functions could include manual processes, alternative delivery channels, and mutual arrangements.
It is imperative that the financial system be as resilient as possible. It is also imperative that it remains robust and competitive, and fulfills its role in the national and global economies. Profound, systemic changes should be implemented only after the full scope and impact of any proposed changes are fully understood by all affected parties.
Finally, BITS/FSR members specifically encourage a technology-neutral approach since it is not fruitful or appropriate to specify technology solutions. All recovery solutions should be based on risks assessed by the participants and not the current state of technology.
Guidelines vs. Regulations. BITS/FSR members strongly encourage the regulators to adopt guidelines for business continuity planning and to make a commitment to continue to work with the financial services industry to identify vulnerabilities and mitigate risks to firms that are covered by these higher expectations. BITS/FSR members believe it is counter-productive for the regulators to adopt immediate regulations or "final" expectations based upon unproven, speculative guidelines. We, instead, urge continued dialogue to achieve the shared goal of fostering a more resilient financial system.
Coordination/Consistency. BITS/FSR members encourage those regulatory agencies responsible for development of this white paper to ensure that the expectations and requirements in the white paper are coordinated with other federal, state and foreign regulators as well as securities exchanges (e.g., NYSE, NASDAQ, AMEX). Coordination with foreign regulators is especially important for many of our member companies that operate in multiple countries and for some companies that use alternate processing sites in foreign countries. Coordination among regulators and exchanges would ensure that critical dependencies and vulnerabilities are addressed. To this end, BITS and FSR members urge the federal financial regulators to ensure that these expectations are consistent with the updates to the Federal Financial Institutions Examination Council's Information Technology Booklet, most notably the revision to Chapter 10 dealing with business continuity issues.
Definitions. BITS/FSR members want the regulators to develop clearer definitions with examples of activities that are covered by these new expectations and requirements. BITS/FSR members also want the regulators to notify institutions when they are subject to the requirements and provide ample time for institutions to comply with the higher expectations. While most BITS/FSR members noted that the definition of "core clearing and settlement organizations" was clear and understandable, many BITS/FSR members want the regulators to clarify the following terms: "critical markets," "firms that play significant roles in critical financial markets," and "wide-scale regional disruption."
Many BITS/FSR members noted that these definitions and expectations would have a significant impact on financial institutions regardless of whether the definitions/expectations specifically apply. For example, some BITS/FSR members noted that the expectations for out-of-region back-up sites would impose significant costs on institutions. Moreover, institutions that do not meet the definitions could be at a competitive disadvantage for markets and activities with a strong demand for such provisions. In response to these concerns, we encourage the regulators to assess the very substantial costs that would be required to comply with these expectations before the definitions and associated obligations are imposed as requirements. Moreover, the regulators (and the government more broadly) should consider whether the benefits to society (including downstream respondents or small financial institutions) exceed the costs and, further, whether government should subsidize some of the costs imposed by these new and costly requirements.
BITS/FSR members believe the requirements would affect many institutions, even if they did not specifically meet the definition of a covered entity. This is especially true for institutions that play large roles (or aspire to play large roles) in any critical financial markets. BITS/FSR members also noted that their customers may insist that they meet these requirements or seek to move business to institutions that do meet these requirements. Some BITS/FSR members want to know whether their institutions will be held to the same requirements if they provide critical services to covered institutions.
Some BITS/FSR members asked whether the recommendations in the white paper apply to service providers or service bureaus that are not chartered by bank regulators and thus whether regulated institutions would be held to higher, more onerous and costly requirements.
Out-of-Region Back-up Sites. As noted before, BITS and FSR members believe the regulators should adopt a risk-based approach that lays out broad expectations, but does not specify requirements for out-of-region back-up sites. For example, BITS/FSR members believe there should not be a minimum distance between primary and out-of-region back-up sites. Many BITS/FSR members believe that out-of-region back-up sites cannot support synchronous processing beyond a certain range. While BITS/FSR members strongly support separation between primary and back-up sites, the regulators should not impose a de minimus distance between primary and secondary sites. It is important to note that too much distance between primary and secondary sites creates a significant burden on the firms, may be technologically infeasible, and/or could make these subject to additional potential points of failure. Moreover, BITS/FSR members believe that mandating out-of-region back-up sites could result in some financial institutions being unable to continue operations in core businesses and/or those that may be of strategic importance to them.
BITS/FSR members believe that the regulators should provide adequate flexibility for institutions to address the difficult "people issues" in planning for transitions to back-up sites, including out-of-region back-up sites. Many BITS/FSR members are concerned that the white paper does not provide enough flexibility to allow institutions to address these people issues in a cost-effective manner. The range of people issues affects everything from cross-training of personnel who work at primary and out-of-region back-up sites to vendor management issues involving vendors that provide disaster recovery services.
Recovery Times. BITS/FSR members urge the regulators to adopt recovery time targets that are practical, realistic and more flexible. BITS/FSR members believe the requirement that "firms that play significant roles in critical markets should establish recovery targets of four hours after an event" is not realistic or practical due to cross industry dependencies and given the technological limitations of moving data across lengthy distances in a mirrored environment such that minimal to no data loss is achieved and data integrity is retained. Because firms are dependent on others to conduct business, it is also important for the regulators to take into account the "cascading effect" these recovery targets have on entities that are covered as well as entities that are not covered by these new requirements. Moreover, short recovery time requirements could impose excessively high costs on individual firms. BITS/FSR members also would like the regulators to further explain terms such as "end of day."
Interdependencies. BITS/FSR members applaud the regulators for focusing on the key interdependencies with other critical infrastructure providers. A key vulnerability that surfaced during September 11 was the dependence on telecommunications providers. Due to the financial instability of individual telecommunications firms, it could be said that this critical issue-and the risks associated with it-has become even more complex and serious since September 11. In light of the financial services' and other sectors' reliance on telecommunications infrastructure for critical services, BITS/FSR members strongly encourage the public and private sectors to work cooperatively to address vulnerabilities in the nation's critical telecommunications infrastructure.
BITS is currently working with BITS/FSR members, other sector associations, and representatives of federal agencies to develop a high-level white paper to address the financial services industry's concerns regarding service reliability, inadequate diversity for back-up service, and the lack of economic resources to make important infrastructure improvements. The BITS white paper will be used for discussion and distribution among members, regulators, and CEOs within the financial services and telecommunication sectors. The primary purpose of the paper is to raise awareness of the vulnerabilities to the financial services industry and to provide suggestions for potential solutions. The white paper is based on discussions from a BITS-sponsored forum in July with representatives of the National Communications System, the Federal Communications Commission, the Federal Reserve, the Office of Cyberspace Security, US Treasury, and major telecommunications companies.
Testing. BITS/FSR members strongly encourage robust and comprehensive testing and welcome opportunities to work in partnership with government and other critical sectors. BITS/FSR members believe that cross organization testing is a significant undertaking that requires cooperation and substantial expense. Many BITS/FSR members request that the regulators jointly sponsor end-to-end testing among affected institutions and all other critical sectors.
Deadlines. BITS/FSR members believe the requirement that plans be completed by mid-to-late 2003 is unrealistic. Before the regulators establish deadlines for complying with any new requirements, it is essential for firms to know the requirements first. Given the difficult and unresolved interdependencies, the regulators should not impose firm deadlines. Many BITS/FSR members believe the implementation date should depend on progress in testing, cooperation among key sectors to address interdependency issues, and incentives provided by government given that the new requirements will impose significant new costs. Many BITS/FSR members believe the suggested 2007 implementation deadline is too early, but also acknowledge that the industry must focus on mitigating vulnerabilities given the potential risks of further acts of terrorism as well as natural disasters. To maintain a sense of urgency we encourage the regulators to adopt a more flexible, phased-in approach. In so doing, key planning and execution deliverables would be more manageable, and changes in key drivers/factors (e.g., threats, technology, infrastructure) may be assessed and responded to as they occur.
Economic Impact. The agencies note in the white paper that "firms indicated that economic trades-offs and competitive considerations exist in making strategic decisions about business continuity that require the continuing leadership of senior management and should not be left to the discretion of individual business units." BITS/FSR members believe this statement should not be considered an invitation to regulation.
BITS/FSR members believe the proposed requirements are so extensive and reflect such a tremendous commitment of time and capital, however, that they should not be imposed as requirements without fully modeling them to assess the cost/benefits, appropriateness, and reasonableness. Failure to properly analyze the requirements could result in ineffective deployment of the resources and capital, result in strategies that are not properly scaled for the most-likely events, or do not fully leverage all possible alternatives. Implementation of such strategies without fully understanding their economic ramifications could also impose unintended consequences that could be otherwise avoided.
Given the significant costs these new requirements may impose on institutions (in addition to the significant expenses many institutions have already expended) and the significant impact this could have on the economy, BITS/FSR members believe that further study and dialogue is necessary. Accordingly, we encourage the regulators to engage in additional dialogue with the industry on cost mitigation concerns.
Thank you for considering the views of BITS/FSR on these important issues. If you have any further questions or comments on these matters, please do not hesitate to contact either of us as well as John Carlson, Senior Director of BITS or Teresa Lindsey, Chief of Staff of BITS at (202) 289-4322.
Catherine A. Allen
Richard M. Whiting
Executive Director and General Counsel
The Financial Services Roundtable
Addendum one: Summary of BITS/FSR Member Responses to Specific Questions
The following are responses from BITS/FSR members to the questions posed by the Federal Reserve Board, New York State Banking Department, Office of the Comptroller of the Currency and Securities and Exchange Commission in the "Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System." For convenience and clarity, the regulators' questions are restated in italics, with the BITS/FSR members' response immediately following.
Definitions and Scope
The white paper defines "critical markets" as the "markets for federal funds, foreign exchange and commercial paper and government, corporate, and mortgage-backed securities." Further, the white paper states: Critical markets provide the means for banks, securities firms, and other financial institutions to adjust their key cash and securities positions and those of their customers in order to manage significant liquidity, market, and other risks to their organizations. Critical markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States. Certain markets such as the federal funds and government securities markets also support the implementation of monetary policy.
Q: Have the agencies excluded any "critical markets" from the list?
Q: Have the agencies identified the critical activities needed to recover and resume operation in critical markets?
BITS/FSR members believe the regulators should clarify which markets are critical and state why. BITS/FSR members recommend that the definition of critical markets be a functional one (e.g., markets which provide financial institutions to adjust/manage their key cash and securities positions and those of their customers in order to manage material liquidity, market and other risks to the organization). Defining this term functionally will be consistent with the approach taken to define "core clearing and settlement organizations."
BITS/FSR members support the intentional exclusion of issues relating to retail financial services but feel it requires specifically addressing or exempting applicability to large ACH providers or clearinghouses such as the Fed's ACH, since ACH payments are commonly differentiated from large wholesale payments.
Q: Should any firms that play "significant" roles in critical markets be required to meet an intra-day standard for recovery and resumption because of the size of their market share or volume, or the significance of the services they perform for other firms in clearing and settling material amounts of transactions and large-value payments (e.g., as a correspondent bank or clearing broker)?
The white paper does not adequately define the criteria for such a requirement. As noted in the body of our comment letter, BITS/FSR members believe that the regulators should adopt a more "risk-based" approach and avoid delineating "hard-wired" requirements for business continuity planning purposes. BITS/FSR members urge the regulators to be flexible and allow institutions to develop business continuity plans (including back-up strategies such as mutual arrangements with other institutions) to address the risks of their greatest concern, including low probability, high impact scenarios. We also believe the regulators should not impose prescriptive requirements, unless absolutely necessary, in order to enhance the firms' ability to remain competitive in the global market. In addition, BITS/FSR members urge the regulators to not shift a disproportionate burden of costs to only those firms that qualify as "significant."
Q: Is there a need to define the term "material" in this context? If so, what should be used?
Yes. However, any such reference should be defined and include representative benchmarks, preferably as a percentage of market share or percentage of average market volume.
Q: Have the agencies sufficiently defined "core clearing and settlement organizations" for such organizations to identify themselves? Note: the definition of core clearing and settlement organizations is "market utilities that provide critical clearing and settlement services for financial markets and large value payment system operators."
Yes. For the most part, the definition is clear.
Q: Are there other measures or additional facts or circumstances that should be used to determine whether a firm plays a significant role or acts as a core clearing organization?
Yes. An objective tool should be developed to assess the impacts on the financial system if critical activities are impaired. Guidelines should be developed to support assessment of a firm's role in supporting those activities. This would serve a similar function as the "business impact analyses" performed within individual firms. Use of such a tool could significantly reduce subjectivity in determining whether a firm plays a significant role or acts as a core clearing organization, and ensure that the same standards are applied across the industry.
Q: Have the agencies provided sufficient guidance for firms to determine whether they play "significant roles in critical financial markets"? Note: the white paper defines the term as "firms that participate in sufficient volume or value in that their failure to perform critical activities by the end of the business day could present systemic risk. This includes most of the 15-20 major banks and the 5-10 major securities firms and others that play a role in at least one critical market."
BITS and FSR members believe that the agencies have not yet provided sufficient guidance for firms to make this determination. BITS and FSR members recommend that regulators and affected institutions discuss and agree upon acceptable levels of resilience, dependent upon the individual financial institution's significance in critical markets. With most financial institutions, there will likely be a need to "negotiate" acceptable timetables and levels of cost to make the financial institution suitably resilient. This is especially true in today's unstable market conditions.
Q: Should the agencies establish an average daily dollar volume (e.g., $20 billion, $50 billion, $150 billion or greater) as a benchmark for either or both of these categories?
BITS and FSR members offer a qualified yes in response to this question. Tangible benchmarks in terms of dollar-amounts, volumes, critical activities, etc. would be helpful; however, we do not recommend a rigid set of guidelines. For example the averages should be some form of rolling average and should be related to total market volume. We recommend the latitude for qualifying institutions to work with their regulatory agency or agencies to discuss and negotiate appropriate levels of resilience at appropriate levels of cost within appropriate time constraints. A benchmark in these categories, if recommended, should also consider the percentage of market share serviced by the firm. Benchmarks should also differ according to volume of activity and criticality of the operation. Criticality benchmarks would aid in setting acceptable margins for business continuity.
Q: Should such benchmarks differ by market or activity?
Yes, they should differ by both market and activity. However, we recommend that a comprehensive study of costs associated with meeting such definitions should be completed and published for comment, before the definitions and associated obligations are imposed as requirements. Firms that do not meet the definitions could risk being at a competitive disadvantage, for markets and activities with a strong demand for such provisions. Conversely, in some circumstances, firms that are not required to meet such definitions may actually be at a competitive advantage, because they can forego the substantial start-up and ongoing costs of complying with the requirements.
Q: Should sound practices take into consideration the geographic concentration of the back-up sites of firms that, as a group, could play a significant role in critical markets?
Yes, the sound practices should take into account that these geographic concentrations may result in unintended infrastructure interdependencies that may impact all of them collectively. If the statistical "bottom half" of firms by size collectively constitutes a "significant role" in critical markets, then these practices should consider their potential infrastructure vulnerabilities as if they constituted a single firm, unless the group demonstrates infrastructure diversification in its business continuity planning. Any such consideration should be made with a long-term view. The costs and complexity of making profound systemic changes in both primary locations and practices and back-up locations and practices are likely to be immense. Sound practices should also consider the concentration and location of institutions in any one given vendor.
Q: Can firms that play significant roles in critical markets have no effective substitutes that can assume their critical activities (similar to core clearing organizations, which by definition have no effective substitutes)?
Generally no, based on the September 11 experience. Only in the rarest of circumstances would the scale of the roles of some firms be such that there are no effective alternatives within their markets capable of accommodating their volumes.
Q: Does the paper's definition of a "wide-scale, regional disruption" provide sufficient guidance for planning for wide-scale, regional disruptions? Is there a need to provide some sense of duration of a wide-scale, regional disruption? If so, what should it be? Note: the definition in the paper is as follows: "causes a severe disruption of transportation, telecommunications, power or other critical infrastructure components across a metropolitan or other geographic area and its adjacent communities that are economically integrated with it; or results in wide-scale evacuation or inaccessibility of the population within normal commuting range of the disruption's origin."
This definition is inadequate and offers insufficient guidance. Any disruption has to be defined in terms of type (e.g., power, communications, transportation), extent (e.g., localized, regional, national), and duration for outage, recovery and restoration, etc. since the impact can vary enormously. For example, September 11 was localized but it affected air transportation nationally and internationally. A regional power outage may be considered significant, but if major players have battery backup and generators, the impact may be less. We believe a robust scenario-building effort along with a careful analysis of the threats would help the regulators and the industry to better respond to events and conditions that could impair business operations.
A further concern is that this definition does not adequately emphasize identifying potential infrastructure interdependencies that may impact the duration of regional disruptions and the ability of a firm to accommodate them in its risk assessment and business continuity planning. This is highlighted by recent discussions with the telecommunications sector concerning redundancy and service providers.
Recovery and Resumption of Critical Activities
Q: Have the agencies identified the critical activities needed to recover and resume operations in critical markets?
Not fully. The agencies should clarify such an identification of critical activities by providing a range of representative examples for each activity. However, the objective of "minimizing immediate systemic effects" is helpful. Whether that equates to capabilities for pending or new transactions, it implies that the goal is not recovering to 100 percent normal operations. This key distinction deserves discussion. We believe the goal is to get through a catastrophe without a debilitating sustained loss of vital national financial wholesale transfer and clearing capabilities. Realistically, firms will not operate normally under "rapid recovery" circumstances. They will not have normal throughput, they will probably not be capable of normal aggregate daily volumes, they may operate for partial days outside normal hours, they may not be able to settle in T+N timeframes, and they may have some un-reconciled transactions. Such limitations are not mutually exclusive with the goals of the white paper. Noting them alleviates unrealistic expectations and investments.
Q: The white paper states that "sound practice seems to require firms that play significant roles in critical markets to establish recovery targets of four hours after an event for their critical activities." Is four hours a realistic and achievable recovery-time objective for firms that play significant roles in critical markets? If not, what would be?
BITS/FSR members believe that a four hour recovery period for firms that play significant roles in critical markets is not practical, particularly given some of the technological limitations of moving data across lengthy distances in a mirrored environment such that minimal to no data loss is achieved and data integrity is retained. This objective cannot be reconciled with other proposed practices regarding prospective minimum distance from primary sites for back-up facilities, and use of different labor pools and critical infrastructure. The greater the distance, the greater the time required to recover and/or the greater the costs associated with doing so. For some firms, the financial, operational, and labor resources required to achieve this time objective are likely to be tremendous, and would impose an undue burden on the firms, or may not be realistically achievable, at all.
Q: The white paper also states that "sound practice seems to require core clearing and settlement organizations to establish recovery and resumption targets of two hours for critical activities." Is two hours a realistic and achievable resumption-time objective for core clearing and settlement organizations?
Four hours is unrealistic as stated above and two hours is even more so given the likely interconnectivity between various types of applications which process on mainframe computers to more distributed open systems. This objective cannot be reconciled with other proposed practices regarding prospective minimum distance from primary sites for back-up facilities, and use of different labor pools and critical infrastructure. The greater the distance, the greater the time required to recover and/or the greater the costs associated with doing so.
Q: Should recovery- and resumption-time objectives differ according to critical markets?
Yes. The recovery and resumption target time objectives should vary by time of day. Time objectives for critical markets must minimize potential "cascading effects" that increase systemic risk.
The agencies outlined the following "sound practices" for core clearing and settlement organizations and other firms that play significant roles in critical financial markets:
- Identify critical activities.
- Determine the appropriate recovery and resumption objectives.
- Maintain sufficient out-of-region resources to meet recovery and resumption objectives.
- Routinely use or test recovery and resumption arrangements.
A footnote in the white paper states, "the agencies are not recommending as a sound practice that firms move their primary sites out of center-city locations. There are many important business and internal control reasons for having processing sites near financial markets and firms' headquarters. It is the separation between primary and alternative processing sites that is important in promoting resilience."
BITS and FSR respond to the footnote by stating that while some separation is appropriate and necessary, too much separation creates an enormous burden on the firms, and subjects them to additional potential points of failure. It is important to emphasize that some of the proposed sound practices should seek to establish and maintain a parallel critical infrastructure. Such an endeavor should be modeled in detail and assessed prior to implementation to ensure that capital and resources are directed to appropriate levels of required build-out.
"Out-of-Region Back-up Resources"
Q: Have the agencies sufficiently described expectations regarding out-of-region back-up resources?
BITS and FSR members believe additional guidance is needed. Further, it is extremely difficult to develop and enforce "one size fits all" regulations in a nation as diverse as the United States. The expectations need to be flexible enough in their language to allow firms to demonstrate the true recovery objectives that have been incorporated into this paper, even where arbitrary mileage minimums haven't been met.
Q: Should some minimum distance from primary sites be specified for back-up facilities for core clearing and settlement organizations and firms that play significant roles in critical markets (e.g., 200 - 300 miles between primary and back-up sites)?
Q: What factor(s) should be used to identify such a minimum distance?
No. BITS and FSR members believe there should not be a minimum distance. Fundamental assumptions regarding the nature, scope, and duration of events as the criteria for planning should be proposed and distributed for comment, prior to defining such guidelines. Planning directed to regional severe weather would be dramatically different than planning directed to detonation of one or more nuclear devices. Failure to properly level set the process could result in consumption of undue resources and development of back-up provisions, which are not properly scaled for the most-likely events.
Given that distance alone is a somewhat arbitrary measure, BITS/FSR members believe there should be a flexible minimum distance. BITS/FSR members believe that 200-300 miles is simply not feasible for data mirroring or synchronous processing. There are other factors that contribute to the risk, as well as the soundness, of a recovery solution. Further, any such criteria should be directed to specific markets on a case-by-case basis, subject to the relative impact of the markets on the financial system. Wherever possible, criteria should be provided as recommendations or guidelines, rather than prescriptive requirements.
Q: Should the agencies specify other requirements (e.g., back-up sites should not be dependent on the same labor pools or infrastructure components, including power grid, water supply and transportation systems)?
The agencies should provide recommendations and guidelines, but defer prescriptive requirements unless absolutely necessary, in order to enhance the firms' ability to remain competitive in the global market. One possibility is to recommend a common threat analysis to demonstrate what their weaknesses are and then require them to work on mitigants jointly with the regulators to achieve mutual satisfaction.
When issuing supervisory guidelines and deadlines the regulators should coordinate those requirements with other regulatory bodies such as the UK's FSA so that significant multinational financial institutions, which may likely choose the UK as an alternate processing site in the case of a regional disaster, don't encounter inconsistent or contradictory requirements and are not impeded by the foreign regulators.
Q: Are there alternative arrangements (i.e., within a region) that would provide sufficient resilience in a wide-scale, regional disruption? What are they?
Yes. Back-up sites should accommodate the great majority of potential disruptions, and permit greater scale economies in their development and maintenance. Those sites should have independent back-up provisions for critical infrastructure (e.g., telecommunications, power, water) to reduce the likelihood of impairment due to disruption of critical regional infrastructure. The potential circumstances that would legitimately require back-up hundreds of miles away are extreme and improbable, and may not always warrant the logistics and expense of installing such remote back-up provisions. These arrangements vary given the specific requirements of identified critical systems and assets. At present, the majority of firms located in the World Trade Center have re-located to unaffected parts of the NY metro region. Regional co-location of a firm's facilities may be a possibility, given all required infrastructure support (to include labor) was identified and redundancy provided and tested.
Q: Are there other arrangements that core clearing and settlement organizations should consider, such as common communication protocols that would provide greater assurance that critical activities will be recovered and resumed?
It would depend on the market, the potential impact on the financial system if that market is impaired, and the consequences to the core clearing and settlement firms. The methods and processes should be fully modeled and assessed prior to issuing defining requirements.
The white paper notes that "firms should be enhancing their business continuity plans to address wide-scale, regional disruptions, including adoption of implementation plans to achieve these sound practices. To the extent that these sound practices require revisions of the plans, they should be completed as soon as possible and no later than 180 days after the agencies issue their final views." The white paper also states that "all core clearing and settlement organizations, however, should begin to implement plans to establish out-of-region back-up resources within the next year."
BITS and FSR members believe that firms should be required to initiate plans and review them with their regulators within that time frame but completion is not possible within the amount of time specified. The scope and ramifications of such an initiative are tremendous, and will likely require substantial, enterprise-wide efforts by subject firms. Development of realistic plans to address those requirements should occur over an entire planning cycle, which is generally 365 days. For non-core clearing and settlement firms, we support the flexibly-defined implementation targets (as soon as practicable), and the recognition that associated cost and operational considerations are important to maintaining stability while enhanced recovery capabilities are established.
Q: To ensure that enhanced business continuity plans are sufficiently coordinated among participants in critical markets, should specific implementation timeframes be considered?
No, it would add additional burdens and complications to the process without significant gain. Were this considered, it should not be done without fully modeling and assessing the proposals, their ramifications and benefits.
Q: Is it reasonable to expect firms that play significant roles in critical financial markets to achieve sound practices within the next few years?
It is reasonable to expect them to make substantial progress in meeting reasonable requirements, within the next few years. However, the requirements should be fully modeled and assessed for cost/benefit, appropriateness, and reasonableness before such requirements are imposed on the firms. However, the white paper should recognize that an acceptable plan might contain some "plans for plans," since fully detailed plans are probably not feasible in this time frame, without disrupting normal activities.
Q: Should the agencies specify an outside date (e.g., 2007) for achieving sound practices to accommodate those firms that may require more time to adopt sound practices in a cost-effective manner?
Many BITS/FSR members believe the suggested 2007 implementation deadline is too early but also acknowledge that the industry must focus on mitigating vulnerabilities given the potential risks of further acts of terrorism as well as natural disasters. To maintain a sense of urgency we encourage the regulators to adopt a more flexible, phased-in approach. In so doing, key planning and execution deliverables would be more manageable, and changes in key drivers/factors (e.g., threats, technology, infrastructure) may be assessed and responded to as they occur. BITS and FSR members support the goal for achieving sound practices, and the recognition that it will take some firms more time than others to do so in a cost-effective manner.
Q: Would such distant dates communicate a sufficient sense of urgency for addressing the risk of a wide-scale, regional disruption?
There is some risk that a distant date would diminish a sense of urgency, but not for most institutions. The sense of urgency can be addressed by encouraging a phased-in approach, so that key planning and execution deliverables are more manageable, and changes in key drivers/factors may be assessed and responded to as they occur or define themselves over the coming months/years (e.g., threats, technology, infrastructure). A distant date allows the business to address this issue in a well thought-out approach, rather than in a re-active manner.
Addendum two: FSR/BITS Member Companies
ABN-AMRO North America, Inc.
AEGON USA, Inc.
Allfirst Financial, Inc.
Allied Capital Corporation
AMCORE Financial, Inc.
AXA Financial Inc.
Bank of America Corporation
Bank of New York Company, Inc., The
Bank of Tokyo-Mitsubishi Trust Company
BANK ONE CORPORATION
Capital One Financial Corporation
Charles Schwab Corporation, The
Charter One Financial, Inc.
Chubb Corporation, The
Citizens Financial Group, Inc.
City National Corporation
Commerce Bancshares, Inc.
Compass Bancshares, Inc.
Countrywide Credit Industries, Inc.
Credit Suisse First Boston
Cullen/Frost Bankers, Inc.
Edward Jones Investments
FMR Corp. (Fidelity Investments)
Fifth Third Bancorp
First Commonwealth Financial Corporation
First National of Nebraska, Inc.
First Tennessee National Corporation
First Virginia Banks, Inc.
FleetBoston Financial Corporation
Fortis, Inc./Assurant Group
Fulton Financial Corporation
General Motors Acceptance Corporation
Goldman Sachs Group, Inc., The
Guaranty Financial Services
Harris Bankcorp, Inc.
Hartford Financial Services Group, Inc., The
Household International, Inc.
HSBC USA Inc.
Hudson United Bancorp
Huntington Bancshares Incorporated
J.P. Morgan Chase & Co.
Legg Mason, Inc.
M&T Bank Corporation
Marshall & Ilsley Corporation
MassMutual Financial Group
Mellon Financial Corporation
Mercantile Bankshares Corporation
Merrill Lynch & Co., Inc.
National City Corporation
National Commerce Financial Corporation
Northern Trust Corporation
Old National Bancorp
Pacific Century Financial Corporation
PNC Financial Services Group, Inc., The
Provident Bankshares Corporation
Provident Financial Group, Inc.
Providian Financial Corporation
Prudential Insurance Company of America, The
Raymond James Financial, Inc.
RBC Centura Banks, Inc.
Regions Financial Corporation
Riggs National Corporation
Sky Financial Group, Inc.
St. Paul Companies, Inc., The
State Farm Insurance Companies
SunTrust Banks, Inc.
UBS Warburg LLC
Union Planters Corporation
United Bankshares, Inc.
Waddell & Reed Financial, Inc.
Washington Mutual, Inc.
Wells Fargo & Company
Whitney Holding Corporation
Zurich North America