BUSINESS CONTINUITY PLAN «Back to Legal
Background
FINRA Rule 4370 (NASD Rule 3510) requires that all FINRA broker-dealers create and maintain a Business Continuity Plan (BCP); FINRA Rule 4370 (formerly NASD Rule 3520) requires that emergency contact information regarding the BCP be provided to FINRA through the FINRA Contact System (FCS) at www.finra.org/ncs.asp ).
The designated principal ensures that we adhere to all requirements under Rule 4370 retains all related books and records, including those indicating the required reviews, along with amendments made at any time.
Notice to Members 04-37 outlines how our obligations under Rule 4370 may be satisfied by participating in a corporate- wide BCP, as long as the plan addresses our specific situation, even if the affiliate or parent is not a FINRA member firm. If we rely on a company- wide BCP, our CCO will review the company- wide plan to ensure that it meets all the requirements of Rule 4370. In such a situation, we remain responsible for appropriate designation of a principal to act in the manner as described above.
Designated Supervising Principal
We are required to designate a member of Senior Management, who is a registered principal, as the individual responsible for approving our Business Continuity Plan (BCP) and conducting the required annual review of our BCP, including any proposed changes to the existing BCP.
The individual designated is
Name/CRD#: Nicolas R. Montgomery/CRD#4507625
Title: Managing Member
Senior Management BCP Approval
FINRA has made it clear that Senior Management Approval is intended only to ensure that a specific individual with proper authority reviews and updates the BCP, not to make one person responsible for our compliance with Rule 4370. Responsibilities under Rule 4370 are a firm- wide compliance issue.
Supervisory Review Procedures and Documentation
The designated principal will ensure that emergency contact information is submitted, and continually updated, as required to FINRA through the FCS. This information requires us to designate two emergency persons whom FINRA may contact in the event of a significant business disruption. Each emergency contact person must be a registered principal and a member of Senior Management. Notice to Members 04-37 outlines alternative measures, such as utilizing outside counsel, for instances in which a firm has only one principal or is a sole proprietorship.
The two emergency contact persons are:
Name/CRD #: Nicolas R. Montgomery/CRD#4507625
Title: Managing Member
Name/CRD #: Jay Conklin, Jr./CRD#4089464
Title: Managing Member
In the event of a material change, our CCO will ensure that we promptly update our emergency contact
information.
In addition, at least annually, an appropriate designated individual will review the FCS system to ensure the information remains current. Any changes must be made within 30- days of a different individual designated as an emergency contact person.
Our CCO will ensure that we maintain copies of our BCP plan, annual reviews and amendments for regulatory inspection purposes.
To ensure its accessibility to regulators upon request, an electronic copy of our plan will be readily available.
Recognizing that not all firms have a secure, off- site facility to store and update their BCP, FINRA has arranged for EVault, a leading provider of network backup and recovery software and services, to provide this voluntary electronic repository service specifically designed for FINRA firms.
Use of the BCP Repository Service is entirely voluntary and is not required under FINRA rules. Furthermore, use of the BCP Repository Service does not constitute a "safe harbor" with respect to a member firm's obligation to comply with all applicable rules and regulations.
Our CCO, working with Senior Management, will determine whether we will utilize EVault’s services and, ensure full compliance if use FINRA’s backup and recovery system for our BCP.
Our CCO will ensure that we update our BCP in the event of any material changes to our operations, structure, business or location. This updating must be accomplished in a timely manner.
In addition, our CCO will ensure that, if an individual other than the CCO has been designated as responsible for the BCP annual review, that person does, in fact, undertake such a review to determine whether any updates are needed in light of any changes to our operations, structure, business or location.
In reviewing our BCP, we must ensure that it addresses two potential types of significant business disruptions (SBDs), internal and external.
Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building.
External SBDs prevent the operation of the securities markets or a number of firms, such as a terrorist attack, a city flood or a wide- scale regional disruption.
Our response to an external SBD relies more heavily on other organizations and systems (i.e., a clearing firm, an issuer, bank, etc.).
At a minimum, our BCP must address the ten key areas listed below to the extent they are applicable and necessary. We should also identify and address any other key areas to ensure our BCP is complete and thorough based on our specific business and operations.
For any of the ten key areas listed below, our BCP must include a rationale for any item that is not included based on our own business model. It is not sufficient to merely omit a specific required category.
For any area where we are relying upon the BCP of another entity, we must have access to that entity’s BCP, or request that it prepare an Executive Summary of its BCP in terms of its relevance for our use in complying with Rule 4370. This Executive Summary would be required to be an integral portion of our BCP.
1. Data backup and recovery, both hardcopy and electronic
2. Mission- critical systems (defined in Notice to Members 04- 37 as “ any system that is necessary, depending upon the nature of a broker/dealer’s business, to ensure prompt and accurate processing of securities transactions, including but not limited to order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts and the delivery of funds and securities. ”)
3. Financial and operational assessments (i.e., written procedures to ensure our ability to identify changes in our operational, financial and credit- risk exposures). Operational risk focuses on a firm’s ability to maintain communications with customers and to retrieve key activity records through our mission- critical systems. Financial and credit risk relate to a firm’s ability to continue to generate revenue and to retain or obtain adequate financing and sufficient equity.
4. Critical business constituent, bank and counterparty impact
5. Prompt access by customers to their funds and securities
6. Alternate physical location of employees
7. Alternate communications between the firm and customers
8. Alternate communications between the firm and its employees
9. Alternate communications between the firm and the regulators
10. Regulatory reporting
In addition, our BCP must also include
· A detailed description of our business
· A listing of all business locations
· Dissemination of the plan and each individual’s responsibilities thereunder
Under Rule 4370 we are required to disclose certain portions of our BCP to customers. Such disclosure statement, with description of its distribution methods, is required to be an integral part of our BCP.
Our BCP must address how we will ensure that such disclosure is made when a new account is opened and at other times if applicable (i.e., annually). We must also indicate that we will mail a copy of our BCP disclosure to customers upon request, and we may also put the summary disclosure on our website.
Our BCP summary must address the possibility of a future SBD and how we plan to respond to events of varying scope. In addressing the events of varying scope, our summary must
1. Provide specific scenarios of varying severity (e.g., a firm- only business disruption, a disruption to a single building, a disruption to a business district, a citywide business disruption and a regional disruption)
2. State whether we plan to continue business during that scenario and, if so, our planned recovery time
3. Provide general information on our intended response
4. Disclose the existence of backup facilities and arrangements
We do not need to disclose the following factors
· The specific location of any backup facilities
· Any proprietary information contained in the plan
· The parties with whom we have backup arrangements
The summary may also include cautionary language indicating that the plan is subject to modification, that an updated summary will be promptly posted on our website, if applicable, and that customers may alternatively obtain updated summaries by requesting a written copy by mail.
We will maintain copies of our initial BCP and any amendments, evidencing appropriate Senior Management approval by initials and dates.
We will retain documentation concerning the maintenance of current information (with changes made within 30 days), on FINRA's FCS regarding our emergency contact individuals, evidenced by copies of the filings or by initialing appropriate changes made, documenting who made the changes or verifying that the information remains unchanged, and the dates when such changes or verifications were made.
We will maintain documentation of the required annual review of our BCP, indicating who conducted the review, the dates of all review activities, comments relating to required changes and indications that changes were made, including evidence of who made the changes and who received the revised BCP.
Evidence of our BCP disclosure to customers is retained in the filings, indicating how disclosure was made, when it was made and by whom.