MVA White Collar Defense, Investigations, and Regulatory Advice Blog

After extensive retrospective review of FINRA Rule 4370, which covers member firm business continuity plan (“BCP”) requirements during times of business disruption (such as the COVID-19 Pandemic), FINRA issued its Retrospective Rule Review Report entitled “Business Continuity Planning and Lessons From the COVID-19 Pandemic.”[1]  In doing so, FINRA issued guidance and summarized stakeholder feedback on such topics as the inspection and registration of temporary/remote offices, Membership Application Program (“MAP”) compliance for those offices, and the integration of incident response and disaster recovery plans in BCPs.  FINRA also decided to maintain Rule 4370 without changes, largely due to this rule’s flexible and non-prescriptive approach.

FINRA Rule 4370, entitled Business Continuity Plans and Emergency Contact Information, “requires a member firm to create, maintain, review at least annually and update upon any material change, a written BCP identifying procedures relating to an emergency or significant business disruption.”[2]  A firm’s BCP procedures, among other things, “must be reasonably designed to enable the member to meet its existing obligations to customers” and “must address the member’s existing relationships with other broker-dealers and counter-parties.”[3]  While requiring certain elements,[4] Rule 4370 allows firms the flexibility to customize their BCP in light of their business model.  The rule also requires firms to provide emergency contact information to FINRA and to keep it updated.[5]

FINRA began its efforts to review the BCP rule in February 2019 through its retrospective review process set forth in Regulatory Notice 19-06 (the “BCP Rule Review”).  The retrospective review process is used by FINRA to determine whether its rules are meeting intended objectives and efficiency based on industry, market, technology, and other environmental changes.  The pandemic hit while this effort was in motion, giving FINRA the opportunity to encourage its firms to evaluate their BCPs and ensure that their updated emergency contact information was in place.  FINRA later initiated a review on the lessons learned from firms and their customers during the pandemic (“the Pandemic Review”), bringing the BCP Rule review into that process.  Those initiatives were covered in FINRA Regulatory Notices 20-08 and 20-42.

FINRA stated that its BCP Rule Review and Pandemic Review:

[C]onfirmed the continuing value and effectiveness of Rule 4370 and its flexible, non-prescriptive approach, and so FINRA proposes to maintain the rule without change.[6]

FINRA noted, “[t]he majority of stakeholders indicated that Rule 4370 works well and expressed the view that the rule’s flexible, non-prescriptive, and risk-based approach has been effective in ensuring firms of all sizes are prepared for potential business disruptions.”[7]  FINRA also provided (and reiterated) some guidance and discussed ongoing initiatives in the following notable areas:

• BCP Testing - FINRA noted that while the rule does not specifically require testing, it does require an annual review to determine whether any modifications are necessary based on changes to the firm’s operations, structure, business, or location. FINRA also noted, however, that testing was an observed effective practice used by firms to fulfill their obligations under the rule and that such testing would help the firm determine whether its BCP was reasonably designed.[8]
• BCP Disclosure to Customers at Account Opening - Noting that although some stakeholders found the BCP customer disclosure requirement to be burdensome, FINRA reiterated its guidance that firms are not required to disclose their actual BCP (including proprietary information) to customers, but instead can give “appropriate levels of summary information about how the firm will address the possibility of a future significant business disruption and how the firm plans to respond to events of varying scope.”[9]
• Minimum Elements of a BCP - While declining to expand the minimum elements of a BCP as stated in Rule 4370 by again citing that rule’s flexible non-prescriptive and risk-based approach, FINRA noted that firms who have adopted separate incident response and disaster recovery plans may benefit from integrating those plans with their BCPs.[10]
• Remote Offices/Registration/MAP - In response to strong continued interest by stakeholders in remote work after the pandemic, FINRA noted that these stakeholders emphasized that the definitions of “branch office” and “office of supervisory jurisdiction” contained within FINRA’s supervision rule (Rule 3110), should be revisited in light of technology usage and evolving work arrangements. FINRA stated that it is engaging with stakeholders to re-evaluate the definitions under Rule 3110(f) and the “potentially significant supervisory impacts that may result from changing the current framework for defining a branch office and the exclusions.”   FINRA also observed that as firms implement return to office plans, those firms may need to register as branch offices current temporary locations or new locations, which could exceed membership application rule safe harbor expansion thresholds or represent a material change in business operations requiring a membership application approval.  FINRA noted that it is considering these concerns and evaluating options “to find a balanced approach in assisting members navigate to the ‘new normal,’ including the application of the MAP rules.”[11]
• Remote Inspections - FINRA noted its adoption of temporary rules to account for pandemic related compliance challenges regarding the internal inspections requirement of Rule 3110(c) and that it is considering modifications to those obligations.[12]
• Engaging with FINRA and FINRA Processes - FINRA noted that during the pandemic, it engaged in ongoing communications with firms to determine the impact of the pandemic on their business and compliance programs, which in turn allowed FINRA to observe risk trends and provide targeted regulatory relief and guidance while leveraging technology to carry out its regulatory mission.[13]
• Qualification Examinations - FINRA stated that it would continue to monitor the delivery of qualification examinations regarding vendor performance and online delivery of some examinations, address any issues, and discuss the potential role of post-pandemic online examinations.[14]
• Virtual Arguments and Hearings - FINRA discussed that while its Dispute Resolution locations have been open for in person proceedings since August 2021, it has permitted arbitration and mediation sessions to proceed virtually during the pandemic. FINRA also stated that it has temporarily amended its rules (through March 31, 2022) to allow virtual hearings in disciplinary and other matters if warranted by current COVID-19 risks posed during in-person hearings.  FINRA is also considering more use of virtual arbitration pre-hearing conferences and hearings.[15]
• Communications with the Public - FINRA referenced its previous FAQs on changed communications practices during the pandemic.[16]

The Retrospective Rule Review Report also provided references to other FINRA guidance, temporary regulatory relief, and initiatives related to BCPs and the pandemic.

More details and information on this topic can be found in FINRA Regulatory Notice 21-44.

---

[1] FINRA Regulatory Notice 21-44.

[2] Id. at 3.

[3] FINRA Rule 4370(a).

[4] Pursuant to FINRA Rule 4370(c), each plan must at a minimum, address: (1) Data back-up and recovery (hard copy and electronic); (2) All mission critical systems; (3) Financial and operational assessments; (4) Alternate communications between customers and the member; (5) Alternate communications between the member and its employees; (6) Alternate physical location of employees; (7) Critical business constituent, bank, and counter-party impact; (8) Regulatory reporting; (9) Communications with regulators; and (10) How the member will assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.  Rule 4370(c) further provides, among other things, that each member must address the above-listed categories to the extent applicable and necessary and that if any of the above-listed categories are not applicable, the member’s business continuity plan need not address the category. The member’s business continuity plan, however, must document the rationale for not including such category in its plan.

[5] FINRA Rule 4370(f).

[6] FINRA Regulatory Notice 21-44 at 4.

[7] Id.

[8] Id.

[9] Id. at 5.

[10] Id. at 6.

[11] Id. at 10-11.

[12] Id. at 10.

[13] Id. at 11.

[14] Id. at 12.

[15] Id. at 12-13.

[16] Id at 13.