October 21, 2002

VIA E-Mail

Ms. Jennifer J. Johnson
Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, D.C. 20551
regs.comments@federalreserve.gov
Docket No. R-1128

Office of the Comptroller of the Currency
Public Information Room, Mail Stop 1-5
250 E Street, SW
Washington, DC 20219
reg.comments@occ.treas.gov
Docket No. 02-13

Jonathan G. Katz
Secretary
Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609.
rule-comments@sec.gov.
Release No. 34-46432; File No. S7-32-02

Re: Comments on Draft Interagency White Paper on Sound Practices
to Strengthen the Resilience of the U.S. Financial System

Dear Ladies and Gentlemen:

The PNC Financial Services Group, Inc. ("PNC"), Pittsburgh, Pennsylvania, appreciates the opportunity to submit comments on the Draft Interagency White Paper on Sound Practices

to Strengthen the Resilience of the U.S. Financial System (the "White Paper") issued by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission (collectively the "Agencies") (67 Fed. Reg. 56,835 (Sept. 5, 2002)).

PNC is one of the largest diversified financial services companies in the United States, with $67.7 billion in assets as of September 30, 2002. Its major businesses include regional community banking, corporate banking, real estate finance, asset-based lending, wealth management, asset management and global fund services, including one of the largest full-service mutual fund transfer agents in the United States (PFPC Inc.). PNC's full-service subsidiary banks have offices in Delaware, Florida, Indiana, Kentucky, New Jersey, Ohio and Pennsylvania.

PNC participated in the drafting and review of the comment submitted by BITS and the Financial Services Roundtable (the "FSR comment letter"), and is generally supportive of that comment. In submitting this comment, PNC seeks to emphasize further some issues that were specific points of concern to PNC. PNC's comments are organized on the basis of the four topic headings suggested by the White Paper, along with an introductory comment section.

Introduction

PNC commends the Agencies for taking a leadership role by focusing on the importance of business continuity issues generally, and on the risks and threats to the to the resilience of the financial services infrastructure in particular. PNC has always been a strong adopter of risk-based recovery for business functionality, and believes that it is integral part of business success. PNC has also heavily invested in infrastructure mitigation and resiliency.

PNC supports the view that best practices be implemented as recommendations and guidelines, and not as regulations. We believe it should be done in a very specific fashion, based on clearly identified industry goals. Institutions, products and recovery objectives must be objectively outlined for success in the effort. If formal "sound practices" are to be defined by regulation, they must be specific enough to identify those organizations to which they apply and the requirements for developing the plan and executing the large capital growth decisions necessary to support the directive.

The White Paper identifies certain critical core clearing and other critical markets that could present systemic risk to the national security and infrastructure. The resiliency improvements suggested by the White Paper can best be achieved if the markets, financial institutions, products, as well as the scenarios and scope of impact, are clearly documented.

Recovery for all other financial services should continue to be risk based and governed by the success to date of existing guidelines.

Scope of Application

• Definitions of Critical Markets, Firms, and Product Sets

  • Further definition should be provided to clarify those specific markets/firms/products/applications that are subject to the proposed requirements.

• Locations of Critical Markets and Firms

  • Geographic location alone can be a factor of increased threat. For example, New York City would appear to present a greater threat factor than Pittsburgh. These relative threat factors should be clearly articulated by region, with appropriate guidelines set forth for each region.

  • Since aggregate risk varies greatly from one region to another, the recommendations should be influenced not just by the institution's percentage of the market, but also by the region's aggregate percentage of a particular market.

Recovery and Resumption of Critical Activities

• Time to Recover

  • Depending upon the application and the outage, the end-of-business day dictated by Fed Fund Windows, etc., may be extended, as it was in fact on September 11. This can and should be factored into any mandated recovery windows.

  • The acceptable amount of lost data, and time required to recreate the data at time of disaster, must be addressed as part of the overall recovery time requirements. This is vital to effective recovery planning and staffing.

Sound Practices

• Distance to Recovery Site

  • Recovery requirements as specified must be technologically attainable. Current technology does not support synchronous backup at distances greater than 25-30 miles. This limitation increases cost and potential data loss by requiring additional asynchronous backup to recovery sites at greater distances.

  • Recovery requirements must be based on specific scenarios. Under most disaster scenarios, technology back-up recovery sites do not need to be more than a few miles apart to adequately recover the primary site.

  • Distance is not the only factor in delineating resiliency. Focus must be given to infrastructure recovery not under the direct control of the financial institution including, separation of power, telecommunications, transportation and labor sources.

  • Additional clarification of the backup distance for specific regions is required. Assessment should be performed to identify the number of critical financial institutions maintaining back-up sites located in a particular area or with a particular service provider.

• Labor Pool

  • The requirements and catalysts for staff recovery must clearly identify the operational drivers and requirements for staffing models. Consideration should be given to alternatives, such as outsourcing, cross-training, diversification, redundancy and other options.

Time Table for Implementation

• Timing

  • Depending upon the specificity of the directive, 180 days after the Agencies issue their final guidelines or regulation may not be a feasible time period for the completion of plans. This would be especially true for institutions where significant product decisions and/or capital investment would be required.

  • Implementation dates have to be sensitive to complex resource requirements and an organization's ability to influence outside infrastructure providers. Implementation may require significant changes in existing infrastructure or the relocation of major facilities, which could require implementation plans extending beyond 2007.

Other Issues

• Costs

  • Cost will be a major factor for almost all firms impacted by the final guidelines or regulations. Given that specific institutions, applications, and their availability expectations have been identified as vital to national security and infrastructure, we recommend government consideration for funding alternatives similar to those in other equally critical aspects of the national infrastructure.

• Governance and Regulation During Crisis

  • The Agencies, to avoid delay or confusion during an event, should also document acceptable allowances to be made for certain funding, deadline, and reporting requirements during a wide-scale regional business interruption. These changes may have a significant effect on how firms approach their overall strategy.

• Enforcement

  • Enforcement must be consistent and applied only where clearly indicated.

* * *

Thank you for providing us with an opportunity to comment on these important issues. Please feel free to contact John P. Ericksen, SVP, Security and Technology Risk Management, 412-762-7761, jpericksen@pnc.com or Charles F. Rodger, VP, Security and Technology Risk Management, 412-762-8741, charles.rodger@pnc.com if you have any questions or would like to discuss further the comments set forth above.

Sincerely,

James S. Keller

cc: Joseph J. Abdelnour
Linda S. Cunningham
Robert B. Barry, Jr.
John J. Wixted, Jr.