On March 9, 2020, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 20-08 (“Regulatory Notice”) in response to the COVID-19 pandemic, providing guidance related to Rule 4370 Business Continuity Plans and Emergency Contact Information. In the wake of the COVID-19 pandemic, many FINRA member firms are now contemplating an extended period of time where business operations will involve significant numbers of employees working remotely. Members are advised in the Regulatory Notice to review the sufficiency of their business continuity plans (“BCPs”) and emergency procedures to deal with this reality. As the COVID-19 situation evolves, firms must have supervisory procedures that are, or can be, adapted to a remote work environment, including clear directives for how to escalate compliance issues. Furthermore, firms must, as the Regulatory Notice states, be aware of the increased cybersecurity risks inherent in telework, and respond to those risks in a reasonable way.
Business Continuity Plans and Emergency Contact Information
- Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires members to create, maintain, review at least annually and update upon any material change, a BCP identifying procedures relating to an emergency or significant business disruption. In the days since FINRA issued the Regulatory Notice, the governmental response to the COVID-19 pandemic has evolved rapidly, and member firms are now facing an unprecedented and extended period of business disruption.
- The Regulatory Notice urges member firms to review their BCPs with an eye to “pandemic preparedness.” Part of that preparedness is pre-testing remote office or telework arrangements prior to activating a BCP.
- If firms have not yet activated their BCP, they should expend best efforts to test remote connectivity with critical firm systems, and to assess the adequacy of employees’ internet access and any VPNs, and to ensure that business can continue without significant interruption even in the event of large scale remote work.
- Firms that have activated their BCPs should continue to evaluate whether they adequately mitigate the rapidly evolving business risks of the response to the COVID-19 pandemic, update their BCPs if necessary, and ensure that critical systems and remote connectivity solutions are working as expected as this national crisis continues to evolve.
How Can Firms Be Pandemic Prepared?
- In addition to addressing connectivity and other operational logistics involved in running a broker-dealer with large numbers of employees teleworking, FINRA member firms should ensure that their compliance systems can continue to function effectively. The Regulatory Notice advises members that they will be expected “to establish and maintain a supervisory system that is reasonably designed to supervise the activities of each associated person while working from an alternative or remote location during the pandemic.”
- Member firms should review their written supervisory procedures to ensure that all compliance and control functions can continue to be seamlessly integrated with remote business functions.
- For example, where supervisory oversight has historically relied, at least in part, upon proximity, such as with a supervisor sitting on a trading desk, the firm should ensure that it can digitally or electronically replicate that oversight.
- Supervisory personnel should be included in group chats or video conferences regarding activities by associated persons that they would typically supervise in person.
Emergency Contacts As Pandemic Preparedness
- FINRA Rule 4370 mandates the appointment of emergency contact personnel, a requirement designed primarily to facilitate communication to and from the firm in the aftermath of a short term, acute, event-based emergency. The COVID-19 pandemic is an emergency of a different sort.
- While the Regulatory Notice reminds firms of their obligation to designate two emergency contact persons with whom FINRA may communicate, firms should also consider the necessity of more robust procedures as employees face the possibility of prolonged remote working situations, extended quarantines, and significant medical complications.
- Firms should create, document, and clearly communicate to employees contact information and escalation procedures to be used when questions arise in the course of doing business remotely, especially around legal and compliance issues and notification procedures in the event that a critical employee is unable to work. Employees should know who to call if the person they would typically ask a question is not available and firms should be in a position to rapidly update these contacts as the situation evolves.
- Phone trees and organization charts providing secondary and tertiary resources to employees will help firms avoid remote work becoming a compliance ‘self-help’ scenario.
Remote work brings additional cybersecurity risks. The Regulatory Notice contains a number of steps that FINRA also recommends member firms take to mitigate those increased risks, including taking steps to ensure that remote access remains both available and maximally secure, as well as encouraging heightened vigilance in a dispersed workforce. For more information about cybersecurity guidance for broker-dealers in the wake of COVID-19, please see our SRZ Alert Broker-Dealers: B-D Guidance on Increased Cybersecurity Risks Due to the COVID-19 Pandemic (March 20, 2020), available here.
If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors.
 FINRA Rule 4370 Business Continuity Plans and Emergency Contact Information is available here.
This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2020 Schulte Roth & Zabel LLP.
All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.