Many financial service firms have written supervisory procedures in place for business continuity planning (BCP). Tucked somewhere on a server or in a binder, many plans have been collecting dust. More than likely, these plans are only taken out during regulatory exams, branch audits, or internal testing.
However, the current reality of COVID-19 (Coronavirus) has thrust many firms into implementing their company’s BCP plan. Some companies scrambled to activate a plan that was rarely tested or is insufficient during a national pandemic. By definition, a pandemic is an outbreak of a disease over a wide geographic area. This means that all firms are susceptible in some way to this type of business disruption.
FINRA Guidance on BCP
FINRA Rule 4370 Business Continuity Plans and Emergency Contact Information requires member Firm’s to create a business continuity plan, update the plan, and have certain elements within the plan to address the following:
- Data back-up and recovery (hard copy and electronic);
- All mission-critical systems;
- Financial and operational assessments;
- Alternate communications between customers and the member;
- Alternate communications between the member and its employees;
- The alternate physical location of employees;
- Critical business constituent, bank, and counter-party impact;
- Regulatory reporting;
- Communications with regulators; and
- How the member will assure customers’ prompt access to their funds and securities if the member determines that it is unable to continue its business.
SEC Guidance on BCP
In 2016, the SEC published similar guidance, Business Continuity Planning For Registered Investment Companies, and noted: “Rule 38a-1 under the Investment Company Act of 1940 (“Investment Company Act”) requires funds to adopt and implement written compliance policies and procedures reasonably designed to prevent violation of the federal securities laws. In the staff’s view, fund complexes should consider their respective compliance obligations under the federal securities laws when assessing their ability to continue operations during a business continuity event.”
Revisiting Past Experiences
During the Zika virus epidemic in 2016, MasterCompliance published “Business Continuity Plan: Pandemic Preparedness.” The areas of note included risk analysis, business challenges, and a pandemic plan. Below are some key considerations to review:
Key Business Challenges
- Distributing hygiene products (for example, hand sanitizers, masks, gloves);
- Sanitizing and disinfecting facilities;
- Adhering to CDC recommendations on quarantines;
- Reassessing human resource policies;
- Testing information technology (IT) and remote work capabilities; and
- Increasing allowable sick time and encouraging employees to use such time.
Location Challenges
- Restricting travel;
- Minimizing or eliminating group meetings;
- Using remote meeting and conference call capabilities;
- Testing information technology (IT) and remote work capabilities; and
- Implementing social distancing policies and capabilities.
Considerations During COVID-19
The role of key stakeholders during a pandemic cannot be overemphasized. During COVID-19, the Centers for Disease Control provides relevant information to help keep businesses informed of national medical data and best practices to keep their staff safe and healthy. FINRA recently released NTM 20-08 to give Firms additional guidance on relevant information affecting the industry members. Important items of consideration include:
- Cybersecurity
- Telework Arrangements
- Form U4/U5
- BCP
- Emergency Office Locations
- Communicating with Customers
- Communicating with FINRA
- Military Personnel
- Regulatory Filings and Deadlines
Please contact us today to learn how we can help you and your firm during the current uncertain times and be better prepared for the future.