The Bank of New York

Donald R. Monks
Senior Executive Vice President
The Bank of New York
101 Barclay Street - 18W
New York, NY 10286

October 21, 2002

Ms Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve Bank System
20th Street and Constitution Avenue, NW
Washington, DC 20551

Re: Docket No. R-1128 "Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System"

Dear Ms. Johnson:

The Bank of New York is pleased to respond to the request for comment on the draft White Paper. Allow us to begin by complimenting all of the Agencies involved in drafting this important document, which we believe will significantly advance planning for and response to future disasters. The implementation by market participants of the guidelines set forth in the White Paper will, in our opinion, ensure a rapid recovery of the financial markets from any future regional disruption

At the end of the White Paper, the Agencies solicited comments on a number of important issues. We welcome this opportunity to share our thoughts, and have taken the questions you have raised in order. However, before we discuss the specific questions posed, we wish to emphasize three points that we feel are key to this discussion:

  • We recommend more specific guidance in terms of distance, and what constitutes a "region." We believe the definition of "region" must take into account the local risks and geography, and should balance the safety afforded by distance against the need to move displaced staff quickly to backup sites and resume processing. We suggest that there are actually three types of site scenarios to be considered - data centers, split primary operations, and contingency sites for displaced staff. As a general rule, absent evident risk or observable hazard, we believe that 200 miles should be considered as sufficient separation between primary and recovery data centers and "active-active" split operations. However, because it is not practical to quickly relocate staff hundreds of miles, nor to maintain them for prolonged periods at distances far removed from home and family during a period of regional crisis, it is clear that contingency sites for staff must be located within the same region as their primary workplace.

  • We believe that the definition of "significant" firms needs more specificity, so that firms know whether or not they qualify as significant. In our opinion, the best test is market share, since it identifies the major participants in the critical markets and is well known and easily verified. We submit that 20% market share qualifies an institution as "core clearing and settlement", and that more than 5% share qualifies an institution as "significant."

  • By far, the most critical resource shared by financial institutions that is beyond their control is telecommunications connectivity. The Draft White Paper is an excellent beginning, but it makes no attempt to come to grips with this key issue. We will have achieved nothing if financial institutions can promptly recover their data centers and operations, but there is no telecommunications connectivity to the market utilities and the customer base. It is our experience that individual bank clients of telecommunications service providers have enormous difficulty ensuring telecom route diversity and redundancy. This is especially true when telecommunications routes cross state lines, as will frequently be required given the "out-of-region" guidelines contained within the White Paper. Given the broad reach of this issue and the threat it poses to continuity in critical financial markets, we strongly urge the Agencies to enlist the FCC and other appropriate Federal and State bodies to impose the same kind of continuity guidelines on the telecommunications service providers that are being offered in the White Paper.

    It may take government some time to deal with the political and financial issues that will be involved in requiring that additional standards be met by the telecom carriers. We therefore further recommend that core clearing and settlement firms, in coordination with the other significant market participants that they serve, should be required to formally assess their telecommunications infrastructure and to harden their resiliency on a regular basis. Utilities, such as Fedwire, CHIPS, DTC, SWIFT, etc. should work in concert with their major users to achieve telecom solutions that afford redundancy. Further, by focusing their efforts on the holistic interoperability of the core infrastructures, we believe that new approaches to shared networks and mutual backup can be achieved.

FACE="TimesNewRoman,Bold">V. Request for Comments

The agencies invite comments on the appropriate scope and application of the sound practices and implementation timetable discussed above, as well as other issues relevant to strengthening the resilience of the financial system in the face of wide-scale regional disasters. In particular the agencies invite comment in the following areas:

Scope of application.

Have the agencies excluded any critical markets?

No. However, we believe that the definition of the "corporate securities" critical market requires further clarification. In this context, what activities and securities are meant by the phrases "corporate securities" and "securities operations?" Does the White Paper intend to apply to U.S. equities only, or does it include non-U.S. securities and securities held in custody overseas? Does it cover derivatives? Does it include end-of-day pricing of mutual funds?

Have the agencies sufficiently defined the term "core clearing and settlement organizations" for such organizations to identify themselves? Have the agencies provided sufficient guidance for firms to determine whether they play "significant roles in critical financial markets?"

We have noted proposed definitions of these terms that are based on market share, and we suggest that these definitions be adopted.

Are there other measures or additional facts or circumstances that should be used to determine whether a firm plays a significant role or acts as a core clearing organization? Should the agencies establish an average daily dollar volume (e.g., $20 billion, $50 billion, $150 billion or some larger amount) or a market share test (e.g., 3, 5, 7, 10 percent market share or some larger amount) as a benchmark for either or both of these categories?

We believe that a market share cut-off would be an appropriate measure of a particular institution's significance in each of the six "critical markets." Dollar value as an indicator of significance has two of disadvantages.

  • First, we believe that the Agencies have properly identified the six key markets, and have properly designated them as "critical" to U.S. financial system. However, these markets vary in size, and a particular dollar amount processed by an institution in one market might make it a major participant in that market, while the same amount in one of the other markets might not be so important.

  • The markets have tended to increase in absolute size over the years, and what is today a significant dollar amount, may not appear so 5-10 years later. Selecting a dollar cut-off would require constant revision of the guidelines, to avoid a "bracket creep" situation whereby ever-smaller organizations are classified as "significant."

We suggest that the agencies designate any institution with 20% share of a critical market as a "core clearing" organization, and any institution with 5% market share as having a "significant role". (We further recommend that these numbers be considered as approximate guidelines, so as not to exclude an institution with a market share of 4.93%, for example.) We believe that market infrastructure organizations, regulators, and market participants have available to them more than adequate data to accurately determine market share.

Should such benchmarks differ by market or activity?

No. Market share is an accurate measure of an institution's significance within a market, regardless of the size of the market. If, however, the Agencies decide to specify significance by dollar amount, we believe that you may have to vary the measure by market.

In some market segments, there are geographic concentrations of primary and back-up facilities of firms with relatively small market shares. Should sound practices take into consideration the geographic concentration of the back-up sites of firms that as a group could play a significant role in critical markets?

No. Smaller players in a market are unlikely to know the contingency arrangements of their counterparts, and so would not know whether such a concentration existed. Further, it is not reasonable to require out-of-region recovery capability of a minor market participant.

We do, however, recommend that the final White Paper address how regulators and firms - large and small - outsourcing their contingency operations to third party service providers will insure that no provider of contingency services over-commits to a number of firms within the same region.

One of the reasons core clearing organizations are expected to recover and resume is that there are no effective substitutes that can assume their critical activities; is this also true for some or all firms that play significant roles in critical markets?

No. The question, in our opinion, is not whether there is an effective substitute, but rather what will the impact of the lack of a substitute be upon the critical market in question. If the Agencies adopt the market share guideline that we have suggested, the clients of the impacted institution may suffer significant disruption, and certainly the institution itself would, but the critical market would be able to continue its operations.

Should any firms that play significant roles in critical markets be required to meet an intra-day standard for recovery and resumption because of the size of their market share or volume, or the significance of the services they perform for other firms (e.g. as a correspondent bank or clearing broker) in clearing and settling material amounts of transactions and large-value payments?

No. If the market share is not sufficient to classify a participant as "core clearing", then the White Paper's criteria for a four-hour "recovery" should prove sufficient. In our opinion, a "core clearing" designation would require approximately 20% of market share.

Does the paper's definition of a "wide-scale, regional disruption" provide sufficient guidance for planning for wide-scale, regional disruptions?

The Bank of New York believes that the White Paper provides adequate general guidance. However, discussion and debate within the industry suggests that many institutions do not share our view, and would like to have additional guidance. The Agencies may wish to consider involving outside experts with specific competency in this discussion.

Is there a need to provide some sense of duration of a wide-scale, regional disruption? If so, what should it be?

We recommend that core clearing organizations and other organizations with a significant role plan for disruptions of at least 30 days duration. If, as was the case with the 9/11 attack, the disruption should endure longer than 30 days, one month should give organizations adequate time to respond.

Recovery and Resumption of Critical Activities.

Have the agencies identified the critical activities needed to recover and resume operation in critical markets?


Is there a need to define the term "material" in this context? If so, what should be used?

No. The range of potential scenarios is so broad that a precise definition is not possible, and the intent of "material" seems clear.

Sound practice seems to require firms that play significant roles in critical markets to establish recovery targets of four hours after an event for their critical activities. Is this a realistic and achievable recovery-time objective for firms that play significant roles in critical markets? If not, what would be?

Four hours is both realistic and achievable, and represents an appropriate recovery goal for firms with a "significant role".

Similarly, sound practice seems to require core clearing and settlement organizations to establish recovery and resumption targets of two hours for critical activities. Is this a realistic and achievable resumption-time objective for core clearing and settlement organizations?

Given the current state of recovery technology and the fact that staff for many of the core clearing organizations in the six critical markets are located in urban areas more likely to be targeted for terrorist attack, a two-hour recovery time is extremely aggressive. We do, however, agree upon the need for a rapid recovery and resumption of core infrastructure underpinning the markets, and accept two hours as a recovery and resumption "target", but do not believe it should be a firm requirement at this time.

Should recovery- and resumption-time objectives differ according to critical markets?

No. The Agencies have correctly designated the "critical" financial markets. This question seems to imply that some may be more critical than others. We believe that a market is either critical or it is not, and that the same criteria should apply to all critical markets.

Sound practices.

Have the agencies sufficiently described expectations regarding out-of-region back-up resources?

No. Please see our discussion in the next question.

Should some minimum distance from primary sites be specified for back-up facilities for core clearing and settlement organizations and firms that play significant roles in critical markets (e.g., 200 - 300 miles between primary and back-up sites)? What factors should be used to identify such a minimum distance?

The Bank of New York believes that it is difficult to establish hard and fast rules regarding separation of facilities, because there exist several variables, the most important of which are the risks themselves and the type of facilities in question.

The risks - both their likelihood and their severity - are very dependent upon geography. We have always known that some regions of the U.S. are more prone to natural disasters, such as earthquakes, severe storms, and flooding. We believe that it is reasonable to expect that future terrorist attacks, should they occur, are only likely in high-profile major cities or at sites with special importance or vulnerabilities, such as nuclear power plants. It is easy to imagine events in New York City (terrorist attack) or Miami (severe hurricane) that could have widespread disruptive effects out to 50 miles or more. It is difficult to imagine an event in Nashville, central New York State, or Phoenix that would have a footprint that large.

It is also important to consider the type of facilities being considered. We believe that a recovery data center should be out-of-region. We also believe that essential operations supporting the critical markets in which the Bank is a "significant" participant should be split in an "active-active" model, with at least one of the active sites being geographically distant from its sister site(s). As a general rule, absent evident risk or observable hazard, we believe that 200 miles should be considered as more than adequate separation between primary and recovery data centers and "active-active" split operations. We note, however, that there will be situations where a 50 mile separation in a very low risk region will be safer than 200 miles where one of the sites is in a high risk area.

However, there is third case - contingency sites for operations. Should an operations site be rendered unusable by natural or manmade disaster, we submit that there are two compelling reasons that the contingency site to which the staff recover must be "in-region". In the event of an emergency, displaced employees need to be able to quickly move to their contingency site and resume operations. The events of 9/11 taught us that in a regional disaster, especially one caused by a terrorist act, air transport may be unavailable for days, and geographic obstacles such as rivers may become impassible if the authorities order the closing of bridges and tunnels. It is entirely possible that displaced staff may simply be unable to reach an out-of-region site for a significant period of time. Further, there is a human element to this equation. In the case of a regional disaster, employees will have natural concerns about the safety of their families and their homes, and may not be willing to relocate hundreds of miles away to staff a distant processing site when they are needed most at home. None of this is to suggest that distance is not desirable, and "in-region" in this context is not meant to imply "close." Contingency sites should be miles, not city blocks or hundreds of yards from the primary operations sites that they support. However, this means that the contingency site will have to be within something approximating "normal commuting distance" of the primary site. We recognize the risks inherent in this approach, but feel that it is the solution that best addresses the most likely risks. We emphasize strongly that for essential operations supporting critical markets we will have at least one established out-of-region active site, so that even in a worst-case scenario, where displaced workers are unable to occupy their in-region contingency site, processing will continue, albeit with reduced capacity.

Should the agencies specify other requirements (e.g., back-up sites not be dependent on the same labor pools or infrastructure components, including power grid, water supply and transportation systems)?

It is appropriate for the Agencies to specify other requirements, however we would make several observations in this regard:

  • While the logic of a separate labor pool is unassailable, even in a split, "active-active" environment, an institution may be able to recover all processing to the unaffected site, but with the efforts of some portion of the staff no longer available, there may still be queuing and throughput issues due to reduced operational capacity. In this regard, it is important to balance the advantages of geographic separation against those of a complete recovery. As we discussed in the previous question, a recovery site or a split operation hundreds or thousands of miles removed from the disaster site may be completely "safe" from a point of view of the immediate effects of a distant regional disaster, but the firm may take days to recover if the travel distance is so large that the staff at the disaster site can not easily relocate to provide the processing capacity needed.

    In this context, there is a statement on page 11 of the White Paper with which we disagree - "Recovery plans must anticipate the need to have sufficient trained staff located at or near the back-up site to meet recovery objectives and plans for resuming a critical function at normal volumes for an extended duration." [Emphasis added.] We believe that this is unrealistic. Every financial institution maintains only those staffing levels necessary to meet the perceived requirements for processing. If a significant number of staff are killed, injured, or quarantined as a result of a disaster, there will simply not be enough staff available to process "at normal volumes". We believe the requirement should be to resume the critical function and process critical (i.e., large) transactions.

  • Power grid should not be one of the considerations. Power grids are not independent, and the Blackout of 1965 took down the entire East Coast. While that sort of event would hopefully be unlikely today, we are not prepared to say it is impossible. Further, in this age of Uninterruptible Power Supplies and backup generators, no firm should be without power even if utility power is temporarily unavailable.

  • How will you define "water supply"? Is it tied to a specific reservoir, or more broadly to a watershed? We agree that water supply is a critical infrastructure component, and should be part of the other requirements, but would like a little more guidance on the issue.

  • We recommend that the Agencies also address what we believe is the most critical infrastructure component to the financial markets - the availability and diversity of telecommunications circuits. As we pointed out in the beginning of our response, this is the infrastructure component upon which financial institutions are most reliant, and over which they have little control. It is our view that until telecommunications service providers can offer redundant connections with guaranteed diverse routing that there will be no certainty of recovery for key financial markets, and that mitigation of this situation requires the direct involvement of the Federal and State governments.

Are there alternative arrangements (i.e., within a region) that would provide sufficient resilience in a wide-scale, regional disruption? What are they?

While such alternative, in-region arrangements may be feasible, and we are open to the suggestions of others in this regard, we cannot ourselves think of any in-region arrangement that would survive, for example, a regional evacuation.

Are there other arrangements that core clearing and settlement organizations should consider, such as common communication protocols, that would provide greater assurance that critical activities will be recovered and resumed?

We recommend that core clearing and settlement firms, in coordination with the other significant market participants that they serve, should be required to formally assess their telecommunications infrastructure and to harden their resiliency on a regular basis. Utilities, such as Fedwire, CHIPS, DTC, SWIFT, etc. should work in concert with their major users to achieve telecom reliability solutions.

Timetable for Implementation.

To ensure that enhanced business continuity plans are sufficiently coordinated among participants in critical markets, should specific implementation timeframes be considered?


Is it reasonable to expect firms that play significant roles in critical financial markets to achieve sound practices within the next few years?


Should the agencies specify an outside date (e.g. 2007) for achieving sound practices to accommodate those firms that may require more time to adopt sound practices in a cost-effective manner? Would such distant dates communicate a sufficient sense of urgency for addressing the risk of a wide-scale, regional disruption?

We believe that the targets contained within the White Paper - plan completion within six months of final guidance, implementation to begin within one year of final guidance - are reasonable. And we would support the specification of an outside date for completion of plan implementation. Given the complexity of the issues involved, and the significant investment that may be required, we believe that 2007 is a realistic date for completion of plan implementation.

We thank the Agencies for giving us an opportunity to add our voice to this vital discussion, and hope that you will call on The Bank of New York if there is anything we can do to further our mutual objective - the continuity of critical markets. We would be happy to discuss any of our comments in more detail.

Sincerely yours,

Donald R. Monks

CC: Office of the Comptroller of the Currency
250 E Street, SW,
Public Information Room
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 02-13

Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 5th Street, NW,
Washington, DC 20549-0609
Attention: File No. S7-32-02