FINRA released Regulatory Notice 20-08, “Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief,” (the Notice) on March 9, 2020.1 The Notice primarily serves as (1) a reminder of firms’ obligations to maintain and implement reasonably designed Business Continuity Plans (BCPs), including a discussion of specific areas of potential vulnerability presented by the pandemic; (2) guidance and regulatory relief regarding firms’ obligations to supervise business activities; (3) guidance regarding the availability of extensions for various deadlines, such as extensions for regulatory filings, exam and investigative requests, and licensing and education requirements; and (4) guidance about steps firms should take if they are unable to communicate with customers or FINRA. In a separate communication related to FINRA trade reporting facilities, FINRA also reminded firms they must have written policies and procedures that include a predetermined response addressing over-the-counter (OTC) trading and reporting in the event of a trade reporting issue.
FINRA Rule 4370 BCP Requirements
FINRA Rule 4370 requires firms to create and maintain a written BCP identifying procedures relating to an emergency or significant business disruption. A firm’s BCP procedures must be reasonably designed so the firm can meet its existing obligations to customers.
The Notice reflects that a member firm may conduct its own analysis to determine whether a pandemic or any other event constitutes an emergency or significant business disruption that causes the firm to activate its BCP. FINRA encourages member firms to review their BCPs to consider whether the BCPs are sufficiently flexible to address a wide range of effects in the event of a pandemic, including staff absenteeism, use of remote offices or telework arrangements, travel or transportation limitations, and technology interruptions or slowdowns.
In addition, the Notice specifically discusses FINRA member firms’ obligation to disclose information about their BCPs, the risk areas a BCP must cover and FINRA’s specific need for emergency contact information.
Disclosure obligation: A firm must disclose to its customers how its BCP addresses the possibility of a significant business disruption and how the firm plans to respond to events of varying scope. Significantly, the BCP also must be made available promptly to FINRA staff if requested. Firms may receive such requests from FINRA as the COVID-19 pandemic progresses and should be prepared to provide them quickly.
BCP requirements: The BCP must, at a minimum, address the following: (1) data backup and recovery (hard copy and electronic); (2) all mission-critical systems; (3) financial and operational assessments; (4) alternate communications between customers and the member firm; (5) alternate communications between the member firm and its employees; (6) alternate physical location of employees; (7) critical business constituent, bank and counterparty impact; (8) regulatory reporting; (9) communications with regulators; and (10) how the firm will assure customers’ prompt access to their funds and securities in the event the firm determines that it is unable to continue its business.
The Notice refers to the guidance set forth in FINRA Regulatory Notice 09-59, which discussed the results of FINRA’s survey of certain firms’ pandemic preparedness in response to the outbreak of influenza A (H1N1), or swine flu.2 Regulatory Notice 09-59 was designed to help firms take appropriate measures to prepare for the effects of a pandemic, and included recommended preparations and best practices to address risks associated with increased telecommuting, including:
- Limit remote access to critical users and applications.
- Disable multimedia and social networking capabilities during critical periods.
- Obtain Telecommunication Service Provider status and capabilities through the Department of Homeland Security.
- Critical users should not rely on residential internet access and should secure premium or dedicated service.
- Practice bandwidth-saving through actions such as transferring large amounts of data at night and logging off corporate VPN connections when not in use.
- Stagger telecommuting arrangements by scheduling employees to remote-work at designated times during the day/night in order to disperse and equalize bandwidth requirements.
Emergency contact information: In the Notice, FINRA emphasized that FINRA Rule 4370 also requires member firms to provide (and promptly update) emergency contact information for two emergency contact persons, both of whom must be associated persons. One contact must be a member of senior management and a registered principal of the firm, and the second must be a member of senior management with knowledge of the firm’s business operations. This requirement is intended to ensure that FINRA has reliable means of contacting the firm in the event of an emergency.
Guidance Regarding Firms’ Supervisory Obligations
FINRA understands that firms may implement remote offices or telework in response to the pandemic, and these practices may necessitate that the firm implement alternate methods of supervising its associated persons. FINRA expects a member firm to establish and maintain a supervisory system reasonably designed to supervise the activities of each associated person while working from an alternative or remote location. FINRA also notes that member firms may find it helpful to test broad use of remote offices prior to activating their BCPs, including regarding the ability to connect to critical firm systems, adequacy of residential internet access networks and the potential need to secure dedicated services for connectivity. FINRA reminds member firms to remain vigilant in surveillance against cyber threats, including by: (1) ensuring remote access systems are properly patched with security updates, (2) checking system entitlements, (3) using multifactor authentication for remote access by associated persons and (4) educating associated persons about cyber risks. FINRA also reminds firms that where customer calls are being rerouted to another office, firms must exercise diligence in validating the identity of the customer and provide heightened supervision of the affected customer accounts.
In addition to these reminders about firms’ supervisory obligations in general, FINRA granted the following extensions and regulatory relief:
Firms’ branch inspections may be postponed: Scheduled on-site branch office exams may need to be postponed during the pandemic, and FINRA acknowledged that compliance with FINRA Rule 3110(c) requirements to conduct branch and OSJ inspections during 2020 may need to be reevaluated depending on the duration and severity of the pandemic.
Certain U4 reporting obligations are suspended: FINRA is temporarily suspending the requirement that firms maintain updated U4 information regarding office of employment address for registered persons who temporarily relocate.
Certain Form BR obligations are suspended, but there are clear expectations: FINRA will not require firms to submit branch office applications on Form BR for any newly opened temporary office locations or space-sharing arrangements. However, a firm should use best efforts to provide written notification to its FINRA Risk Monitoring Analyst as soon as possible after establishing a new temporary office or space-sharing arrangement, including:
- Office address
- Name of each member firm involved
- Names of registered personnel
- Contact phone number
- Expected duration
- Whether member firm’s personnel will be sharing space with another entity and, if so, the type of business in which it is engaged
FINRA notes that firms should take into account the risks associated with sharing office space with another entity (e.g., customer privacy, information security and record-keeping considerations) and take steps to mitigate the risks during the emergency relocation.
Other Regulatory Relief and Extensions of Time
FINRA acknowledged that member firms may require extra time to respond to open inquiries, investigations or upcoming filings, and instructed that a firm should contact its Risk Monitoring Analysts or the relevant FINRA department to seek extensions. FINRA may waive late fees in connection with certain late filings, based on specific facts and circumstances. If firms’ data communications are disrupted, firms should retain the relevant data until it can be transmitted to FINRA.
FINRA noted a similar availability of extensions and relief for affected individuals. Individuals with upcoming qualification exams or continuing education windows should contact FINRA for an extension; similarly, FINRA provides registration and licensing relief to individuals who volunteer for or are called into active military duty as a result of the pandemic. Affected individuals (or, if they are associated persons, their firms) should provide the required information to FINRA at [email protected], pursuant to FINRA’s Active Military Leave policy.
Finally, the Notice specifies that if registered representatives are unable to service their customers, member firms are encouraged to promptly place a notice on their websites indicating to affected customers whom they may contact concerning execution of trades, their accounts, and access to funds and securities. Firms should consider supervisory control policies and procedures that will mitigate risks that may arise due to reduced ability to communicate with customers.
Interestingly, the Notice also notes that if a member firm is unable to contact FINRA through its usual means due to a pandemic or other significant business disruption, it should call FINRA’s Call Center at 301.590.6500. Similarly, in a separate communication to certain member firms, FINRA noted that it continues to review its own pandemic plan and BCP to ensure continuous operation of FINRA’s facilities for trade reporting.3 Although FINRA stated that it anticipates that the FINRA facilities will remain fully operational in the event of a pandemic, it reminded firms of previous guidance relating to backup facilities in the unlikely event that FINRA declares a widespread systems outage. FINRA reminded firms that they must establish, maintain and enforce written policies and procedures that include a predetermined response addressing OTC trading and reporting in the event of a FINRA facility systems issue or an issue with the firm’s or its vendors’ systems.
In summary, FINRA member firms should consider taking the following steps immediately:
- Review the sufficiency of BCPs, with particular attention to whether they are sufficiently flexible to address staff absenteeism, use of remote offices or telework arrangements, travel or transportation limitations, and technology interruptions or slowdowns.
- Test broad use of telecommuting or remote work arrangements, including taking steps to ensure remote access systems are properly patched with security updates; check system entitlements; use multifactor authentication for remote access by associated persons; educate associated persons about cyber risks; and develop a process to exercise diligence in validating customer identities.
- Update and maintain emergency contact information, including one contact who is a member of senior management and a registered principal of the firm, and a second contact who is a member of senior management with knowledge of the firm’s business operations.
- Respond promptly to FINRA’s requests for a firm’s BCP, as appropriate.
- Consider whether to request, and request as needed, extensions of time to respond to exam, surveillance, enforcement or other investigative requests for information.
- Consider whether to request, and request as needed, extensions of time to make required filings such as FOCUS filings, Form Custody filings and supplemental FOCUS information pursuant to FINRA Rule 4524.
- Use best efforts to provide written notification to the firm’s FINRA Risk Monitoring Analyst of any newly opened temporary office locations or space-sharing arrangements if the firm relocates personnel to a temporary location that is not currently registered as a branch office or identified as a regular nonbranch location.
- Assist affected associated persons in requesting extensions of time for upcoming qualification exams or continuing education windows.
- Provide required information to FINRA regarding affected individuals who volunteer for or are called into active military duty as a result of the pandemic and require regulatory relief.
- Develop a mechanism to promptly place a notice on the firm’s website in the event that registered representatives are unable to communicate with customers, indicating to affected customers whom they may contact concerning execution of trades, their accounts, and access to funds and securities.
- Confirm that the firm’s written policies and procedures include a predetermined response addressing OTC trading and reporting in the event of a FINRA, firm or vendor systems issue impacting trade reporting.