U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

NASD Rulemaking
re: Business Continuity Plans and Emergency Contact Information

Securities and Exchange Commission
(Release No. 34-48503; File No. SR-NASD-2002-108)

September 17, 2003

Self-Regulatory Organizations; Notice of Filing of Amendment Nos. 4 and 5 to a Proposed Rule Change by the National Association of Securities Dealers, Inc. Relating to Business Continuity Plans and Emergency Contact Information

Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 ("Act")1 and Rule 19b-4 thereunder,2 the National Association of Securities Dealers, Inc. ("NASD"), on August 7, 2002, filed with the Securities and Exchange Commission ("Commission"), a proposed rule change to require its members to establish and maintain business continuity plans. The Commission published the original proposal in the Federal Register on September 9, 2002.3 In response to comments received, the NASD submitted amendments to the proposed rule change on December 12, 2002;4 January 8, 2003;5 and February 19, 2003.6 The Commission published Amendment Nos. 1, 2, and 3 for comment in the Federal Register on March 10, 2003.7 In response to additional comments received, the NASD submitted Amendment No. 4 to the proposal on September 4, 2003,8 and Amendment No. 5 on September 17, 2003.9 The Commission is publishing this notice of Amendment Nos. 4 and 5 to solicit comments on the proposed rule change, as amended, from interested persons.

I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change

The NASD is proposing certain amendments to the proposed rule change, which requires member firms to create and maintain business continuity plans and provide the NASD with certain information to be used in the event of future significant business disruptions.10 Among other things, Amendment No. 4 clarifies that the proposed rule change would not mandate that members stay in business in the event of a significant business disruption. The new amendment also would impose a disclosure requirement on members. In addition, the amendment would require each member to review and, if necessary, update its emergency contact information. Below is the text of the proposed rule change. The base rule text is that proposed in Amendment No. 3. Proposed new language added by Amendment Nos. 4 and 5 is in italics; text deleted by Amendment Nos. 4 and 5 is in brackets.

* * * * *

3500. EMERGENCY PREPAREDNESS

3510. Business Continuity Plans

(a) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to [continue its business in the event of future significant business disruptions] meet its existing obligations to customers. In addition, such procedures must address the member's existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to NASD staff.

(b) Each member must update its plan in the event of any material change to the member's operations, structure, business or location. Each member must also conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location.

(c) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must at a minimum, address:

(1) Data back-up and recovery (hard copy and electronic);

(2) All mission critical systems;

(3) Financial and operational assessments;

(4) Alternate communications between customers and the member;

(5) Alternate communications between the member and its employees;

(6) Critical [B]business constituents, banks, and counter-parties[y impact];

(7) Regulatory reporting; [and]

(8) Communications with regulators; and[.]

(9) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.

Each member must address the above-listed categories to the extent applicable and necessary [to enable the member to continue its business in the event of a future significant business disruption]. If any of the above-listed categories is not applicable, the member's business continuity plan need not address the category. The member's business continuity plan, however, must document the rationale for not including such category in its plan. If a member relies on another entity for any one of the above-listed categories or any mission critical system, the member's business continuity plan must address this relationship.

(d) Members must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review. The member of senior management must also be a registered principal.

(e) Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member's Internet Web site (if the member maintains a Web site), and mailed to customers upon request.

(f) For purposes of this rule, the following terms shall have the meanings specified below:

(1) "Mission critical system" means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.

(2) "Financial and operational assessment" means a set of written procedures that allows a member to identify changes in its operational, financial, and credit risk exposures.

3520. Emergency Contact Information

(a) Each member shall report to NASD, via such electronic or other means as NASD may require, prescribed emergency contact information for the member. Among other things, the emergency contact information for the member includes designation of two emergency contact persons. Each emergency contact person shall be a member of senior management and a registered principal of the member.

(b) Each member must promptly update its emergency contact information, via such electronic or other means as NASD may require, in the event of any material change. Each member must review and, if necessary, update its emergency contact information, including designation of two emergency contact persons, within 17 business days after the end of each calendar quarter to ensure the information's accuracy. The member's Executive Representative must conduct such review and any update. Furthermore, members must have adequate controls and procedures to ensure that only the Executive Representative may perform the review and update.

* * * * *

II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

In its filing with the Commission, the NASD included statements concerning the purpose of and basis for the proposed rule change, as amended, and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The NASD has prepared summaries, set forth in Sections A, B, and C below, of the most significant aspects of such statements.

A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

1. Purpose

The NASD's original proposal and the NYSE's proposal elicited comments from three parties.11 The NASD addressed these comments in Amendment Nos. 1, 2, and 3, which the Commission published for comment in the Federal Register on March 10, 2003.12 The NASD incorporates the interpretations in the Original Notice and Federal Register release of March 10, 2003, to the extent that they are consistent with the interpretations contained in this release. The amended proposals of the NASD and NYSE relating to business continuity planning also elicited comments from three parties.13 The purpose of Amendment No. 4 is to clarify that the proposed rule change does not mandate that members stay in business in the event of a significant business disruption. This amendment also would require each member to disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption. In addition, the amendment would require each member to review and, if necessary, update its emergency contact information on a quarterly basis. Amendment No. 5 clarifies the implementation date of the proposed rules.

Proposed NASD Rule 3510
  • Requirement that Plans be Reasonably Designed to Enable the Member to Continue its Business

Proposed NASD Rule 3510(a) would require that members create and maintain business continuity plans. Amendment No. 3 amended the language of the proposed rule to provide that each member's plan be "reasonably designed to enable the member to continue its business in the event of future significant business disruption." As explained in the Original Notice, the NASD intended for proposed NASD Rule 3510 to require that a member not only conduct a planning process to create a written business plan, but also that the resultant plan ensure that member's ability to continue its business in the event of a significant business disruption.

One commenter expressed concern that the language added to proposed NASD Rule 3510(a) would create a new obligation on a member to continue its business after a significant business disruption.14 This is not the intention of the proposal. The proposal would not deprive a member of its autonomy to choose to cease its operations at any time, provided it does so in a manner consistent with applicable laws and Commission and NASD rules. Nonetheless, to clarify that the rule would not create a new obligation for members to continue their businesses, NASD is amending the proposed rule. Specifically, the proposed rule text stating that "[s]uch procedures must be reasonably designed to enable the member to continue its business in the event of future significant business disruptions" is amended to read, "[s]uch procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member's existing relationships with other broker-dealers and counter-parties."

The general principle that firms are not required to remain in business is further recognized in a related amendment that the NASD is proposing to make with respect to the categories that a member's plan must, at a minimum, address. In particular, following discussions with Commission staff and NYSE staff, the NASD is proposing to amend proposed NASD Rule 3510(c) to require a plan to address how a member will assure customers' prompt access to their funds and securities in the event that the member determines it is unable to continue its business.15 If a member has customers, the member must detail the procedures it would employ to ensure customer access to funds and securities. This new category would help to ensure that if a member were unable to continue its business following a significant business disruption, those customers holding funds or securities through the member would be able to access their funds and/or securities.

  • Requirement to Update Business Continuity Plans

Proposed NASD Rule 3510(b) states, "[e]ach member must update its plan in the event of any material change to the member's operations, structure, business or location. Each member must also conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location." One commenter suggested that the annual review should be required at the plan component level (either defined by business function or department), rather than the firm level.16 The NASD continues to believe, however, that each member should annually review the contents of its business continuity plan at the overall firm level. Such a firm-level review would, among other things, help to ensure that the business continuity plan continues to operate effectively as a whole notwithstanding any operational or business changes that may have occurred in a defined business area or department.

  • Senior Management Approval

Proposed NASD Rule 3510(d) requires that "[m]embers must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review." One commenter requested clarification of whether the member of senior management would actually be required to conduct the review or whether he or she must only ensure that the review was completed.17 The NASD believes that it is the responsibility of the designated member of senior management to ensure an adequate, (at least) annual, firm-level review of the member's business continuity plan. This would not require the member of senior management to personally conduct all aspects of the review; however, he or she would be required to review the final plan, including any proposed changes to the existing plan, and have a reasonable basis on which to believe that any persons delegated to conduct the more detailed parts of the review had the appropriate levels of knowledge in their assigned areas.

  • Business Constituent, Bank, and Counter-Party Impact

The proposal would require a member's business continuity plan to address "business constituent, bank, and counter-party impact." In addressing this category, the NASD stated that firms should have procedures that assess the impact that a significant business disruption has on business constituents (businesses with which a member firm has an ongoing commercial relationship in support of the member's operating activities), banks (lenders), and counter-parties (such as other broker-dealers or institutional customers). In addition, the NASD stated that members should provide for alternative actions or arrangements with respect to their contractual relationships with business constituents, banks, and counter-parties upon the occurrence of a material business disruption to either party.

The commenters expressed concern over this provision. Commenters contended that the requirement to provide for alternative actions or arrangements would place an undue burden on members, might upset existing contracts, and presupposes that all such actions or arrangement are sufficiently critical to require consideration of alternatives.18 Another commenter suggested that the term "business constituent" should be limited to customer relationships.19

The NASD disagrees with the commenters that the provision is unduly burdensome or that it might upset existing contracts. The provision would require only that a firm consider and include in its plan alternative steps that the firm would take in the event that a member's critical business constituents, bank, or counter-parties were inaccessible. The rule would not mandate that a member enter into supplemental contracts or conditional agreements. For example, if a member were to determine that a telecommunications company is a critical business constituent, the member would then be required to create procedures or actions to follow in the event that this business constituent was unavailable. Alternatively, the member could enter into a supplemental agreement with another telecommunications service to provide back-up services. The rule permits each member to adopt an approach in dealing with its business constituents, banks, and counter-parties that is best suited to the member's particular operations, structure, business, and location. It would require a member only to assess the effect of a significant business disruption on its business constituents, banks, and counter-parties and decide appropriate actions if faced with any such situation.

The NASD, however, recognizes that certain business constituent, banking, and counter-party relationships might not be critical to a firm's business or operations. The NASD, therefore, is amending the category of "business constituent, bank, and counter-party impact" in proposed NASD Rule 3510(c)(6) to read, "[c]ritical business constituents, banks, and counter-parties." Members would be responsible for identifying those relationships that they deem critical for purposes of complying with the rule; the NASD, however, would consider, based on its experience in working with the rule following its adoption, whether to enumerate specific relationships that it views as critical to all members.

  • Disclosure Provision

Following discussions with Commission staff and NYSE staff, the NASD also is amending the proposed rule text to require each member to disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. Furthermore, such disclosure would be required, at a minimum, to be made in writing to customers at account opening, posted on the member's Internet Web site (if the member maintains a Web site), and mailed to customers upon request. The NASD believes that this requirement would enable investors to make an educated decision about whether to place their funds and securities at the specific member based on the firm's business continuity planning and also would deter members from creating plans that do not adequately address contingency planning. The NASD, however, notes that members would not be required to disclose their actual plans; rather, each member would be required only to create a summary of how its plan addresses the possibility of significant business disruptions and disclose the member's general planned responses to significant business disruptions. Members would not need to disclose such factors as: the specific location of any back-up facilities; any proprietary information contained in plan; or the parties with whom the member has back-up arrangements. Members, however, would need to disclose the existence of back-up facilities and arrangements.

  • Technical Amendment

Two commenters questioned a technical amendment made by the NASD to the proposed rule text. Originally, proposed NASD Rule 3510(a) would have required that a member have a plan identifying procedures "to be followed in the event of an emergency or significant business disruption." In Amendment No. 3, the NASD changed "to be followed in the event of an emergency or significant business disruption" to "relating to an emergency or significant business disruption." The commenters believed that this new language is less clear than the language originally proposed.20 This technical amendment, however, intends only to reflect that a plan might include more than a list of procedures to be followed by the member in the event of a significant business disruption. For example, a plan may reference an existing arrangement with another entity that permits the entity to perform services for the member in the event of a future business disruption. While this arrangement is not necessarily a procedure to be followed by the member in the event of a significant business disruption, it does reflect the member's procedures relating to a business disruption and should be included in the member's business continuity plan.

Proposed NASD Rule 3520
  • Emergency Contact Information

Proposed NASD Rule 3520 would require members to provide the NASD with emergency contact information and to update any information upon the occurrence of a material change. The proposed rule would require members, among other things, to designate two emergency contact persons that the NASD could contact in the event of a significant business disruption. Each emergency contact person would have to be a registered principal and a member of senior management.

One commenter asserted that the proposed rule should not require emergency contact persons to be members of senior management and registered principals. The commenter characterized this requirement as invasive and believed that the NASD should allow others to serve as emergency contact persons.21 The NASD disagrees with this assessment. The NASD proposed this requirement to address situations in which the NASD wishes to contact a member in the event of a significant business disruption and believes that the emergency contact persons must be registered principals and members of senior management. Under such critical circumstances, the NASD wants to ensure that it will be able to contact persons in senior management directly regarding the condition and operations of the firm. Moreover, the NASD believes that it is essential that the emergency contact persons be members of senior management with the authority, experience, and knowledge to make potentially critical and time-sensitive decisions regarding the firm.22

  • Review and Update of Emergency Contact Information

The NASD also is amending its proposed rule to include a requirement that each member review and update, if necessary, its emergency contact information on a quarterly basis. Proposed NASD Rule 3520(b), as amended by Amendment No. 1, would require members to promptly update their emergency contact information in the event of any material change. Because of the essential nature of this information, the NASD believes that members also should review and update this information on a quarterly basis to ensure its accuracy. Consistent with the quarterly FOCUS reporting schedule, members must review or update, if necessary, its emergency contact information within 17 business days after the end of each calendar quarter. Under this provision, the member's Executive Representative must perform the review and update. Finally, members must have adequate controls and procedures to ensure that only the Executive Representative may perform the review and update of the member's emergency contact information.

  • Effective Date of Rules

One commenter requested that, upon Commission approval of the proposed rule change, the NASD announce in the Federal Register an effective date for the rule of 360 days after notice of Commission approval.23 In Amendment No. 5, the NASD proposes to establish separate effective dates for introducing firms and clearing firms (including self-clearing firms) to create or modify their business continuity plans, as required by proposed NASD Rule 3510. The NASD believes that this is necessary because many introducing firms may need access to information regarding the business continuity planning of their clearing firms. To ensure that introducing firms would have sufficient time to create or modify sections of their plans that might be affected by the plans of their clearing firms, the NASD is extending by 30 days the proposed effective date for introducing firms to comply with proposed NASD Rule 3510.

In addition, to further consistency with the business continuity plan rule proposed by the NYSE, the NASD is proposing in Amendment No. 5 to calculate the effective dates of both proposed NASD Rules 3510 and 3520 from the date of publication of the Commission approval order. Accordingly, clearing firms would have to establish business continuity plans, as required by proposed NASD Rule 3510, within 120 days of the publication of the Commission order announcing the approval of the NASD's rule filing; introducing firms would be required to establish business continuity plans, as required by proposed NASD Rule 3510, within 150 days of the publication of the Commission order announcing the approval of the NASD's rule filing. All members (both introducing and clearing firms) would be required to designate emergency contact persons and provide the NASD with their contact information, as required by proposed NASD Rule 3520, within 60 days of publication of the Commission's approval order.

2. Statutory Basis

The NASD believes that the proposed rule change, as amended, is consistent with the provisions of Section 15A(b)(6) of the Act,24 which requires, among other things, that the NASD's rules be designed to prevent fraudulent and manipulative acts and practices; to promote just and equitable principles of trade; and, in general, to protect investors and the public interest. The NASD believes that the proposed rule change, as amended, which would help to ensure that members are prepared for significant business disruptions, is consistent with those purposes.

B. Self-Regulatory Organization's Statement on Burden on Competition

The NASD does not believe that the proposed rule change, as amended, would result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act.

C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received from Members, Participants, or Others

Written comments were received in response to Notice to Members 02-23 (April 2002) and the Original Notice. The NASD received 32 comment letters following publication of the Notice to Members. The NASD received three comment letters in response to the Original Notice.25 The NASD addressed these comments in Amendment Nos. 1, 2, and 3, which were published for comment in the Federal Register on March 10, 2003.26 The NASD incorporates the interpretations in the Original Notice and Amendment Nos. 1, 2, and 3 to the extent that they are consistent with the interpretations contained in this release. In response to the Federal Register notice of March 10, 2003, the Commission received three comment letters.27 The NASD's response to these comment letters is contained in Section II(A)(1) above.

III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action

Within 35 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding, or (ii) as to which the self-regulatory organization consents, the Commission will:

(A) by order approve such proposed rule change; or

(B) institute proceedings to determine whether the proposed rule change should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change, as amended, is consistent with the Act. Persons making written submissions should file six copies thereof with the Secretary, Securities and Exchange Commission, 450 Fifth Street, NW, Washington, DC 20549-0609. Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room. Copies of such filing will also be available for inspection and copying at the principal office of the NASD. All submissions should refer to File No. SR-NASD-2002-108 and should be submitted by [insert date 21 days from the date of publication].

For the Commission, by the Division of Market Regulation, pursuant to delegated authority.28

Margaret H. McFarland
Deputy Secretary

Endnotes

1 15 U.S.C. 78s(b)(1).

2 17 CFR 240.19b-4.

3 Securities Exchange Act Release No. 46444 (August 30, 2002), 67 FR 57257 ("Original Notice").

4 See letter from Brian J. Woldow, Office of General Counsel, NASD, to Katherine A. England, Division of Market Regulation ("Division"), Commission, dated December 11, 2002 ("Amendment No. 1").

5 See letter from Brian J. Woldow, Office of General Counsel, NASD, to Katherine A. England, Division, Commission, dated January 8, 2003 ("Amendment No. 2").

6 See letter from Brian J. Woldow, Office of General Counsel, NASD, to Katherine A. England, Division, Commission, dated February 19, 2003 ("Amendment No. 3").

7 Securities Exchange Act Release No. 47441 (March 4, 2003), 68 FR 11432.

8 See letter from Brian J. Woldow, Office of General Counsel, NASD, to Katherine A. England, Division, Commission, dated September 3, 2003 ("Amendment No. 4").

9 See letter from Brian J. Woldow, Office of General Counsel, NASD, to Katherine A. England, Division, Commission, dated September 16, 2003 ("Amendment No. 5").

10 A similar rule change has been proposed by the New York Stock Exchange ("NYSE"). See Securities Exchange Act Release No. 46443 (August 20, 2002), 67 FR 57264 (September 9, 2002) (original NYSE proposal); Securities Exchange Act Release No. 47584 (March 27, 2003), 68 FR 16334 (September 9, 2002) (Amendment No. 3 to NYSE proposal).

11 One commenter submitted a single letter that addressed both proposals. See letter from Melvyn Musson, Edward D. Jones & Co. ("Edward Jones"), to Jonathan G. Katz, Secretary, Commission, dated September 30, 2002. A second commenter submitted two letters that addressed each proposal separately. See letters from Jerry W. Klawitter, Securities Industry Association and Bond Market Association ("SIA/BMA"), to Margaret H. McFarland, Deputy Secretary, Commission, dated September 30, 2002. A third commenter submitted a letter that addressed only the NASD proposal. See letter from Frances M. Stadler, Investment Company Institute, to Jonathan G. Katz, Secretary, Commission, dated September 30, 2002.

12 See supra note 7. The Commission also published for comment Amendment No. 3 to the NYSE's proposal relating to business continuity planning. See supra note 10.

13 Two commenters responded only to the NASD proposal. See letter from Melvyn Musson, Edward Jones, to Jonathan G. Katz, Secretary, Commission, dated March 28, 2003 ("Edward Jones Letter"); letter from Thomas K. Heard, A.G. Edwards & Sons, Inc., to Jonathan G. Katz, Secretary, Commission, dated March 31, 2003 ("A.G. Edwards Letter"). One commenter, the SIA/BMA, submitted a separate letter in response to each notice. See letters from Jerry W. Klawitter, SIA/BMA, to Jonathan G. Katz, Secretary, Commission, dated March 31, 2003 ("SIA/BMA Letter"), and April 24, 2003.

14 See SIA/BMA Letter.

15 The NYSE also is proposing a substantially similar amendment. See Securities Exchange Act Release No. 48502 (September 17, 2003) (Amendment No. 4 to NYSE proposal relating to business continuity planning).

16 See A.G. Edwards Letter.

17 See Edward Jones Letter.

18 See SIA/BMA Letter; A.G. Edwards Letter.

19 See Edward Jones Letter.

20 See A.G. Edwards Letter; SIA/BMA Letter.

21 See A.G. Edwards Letter.

22 The NASD notes that the requirement that a contact person be a member of senior management and a registered principal is consistent with other NASD rules, including designation of a member's Executive Representative.

23 See SIA/BMA Letter.

24 15 U.S.C. 78o-3(b)(6).

25 See supra note 11.

26 See supra note 7.

27 See supra note 13.

28 17 CFR 200.30-3(a)(12).

 

http://www.sec.gov/rules/sro/34-48503.htm


Modified: 09/26/2003