New FINRA Guidance on Pandemic Risks

Another day, another gumdrop of guidance from financial regulators that’s worth reading for the whole compliance community. This time it’s FINRA, which published a bulletin Monday reminding broker-dealer firms about how to manage pandemic risk.

FINRA has Rule 4370 for broker-dealers, which requires them to draft and maintain a business continuity plan. That rule doesn’t cite pandemics per se, but does say the business continuity plan (BCP) should address “significant business disruption,” which coronavirus certainly is. 

The BCP should address issues such as data backup and recovery; management of mission critical systems; alternate methods of communication among employees; alternate physical locations for employees, and more. The full 10 elements FINRA wants to see in the plan are as follows:




Source: FINRA

Incidentally, FINRA also published a review of its 2019 regulatory examinations not long ago, where it flagged shortcomings it often saw in firms’ continuity plans. Some of the significant concerns included:

  • Incomplete mission-critical systems. Some firms hadn’t identified or kept a current inventory of all mission-critical systems. 
  • Insufficient capacity. Some firms didn’t have enough capacity to handle increased call volumes and online activity during a business disruption.
  • No updates for operational changes. Some firms didn’t update their BCPs after a big operational change, such as outsourcing important IT systems or relocating data centers. 
  • Outdated contact information. Hell hath no fury like an uncertain customer who calls the emergency contact number and it doesn’t work. Don’t be that firm.  
  • Local document storage. And some firms allowed employees to keep critical files on their computers’ hard drive, rather than storing all critical data on the firm’s network. 

OK, that’s the big picture about business continuity plans and where companies commonly come up short. Now let’s get back to the new FINRA bulletin and pandemic risks. 

Think Expansively

If there’s one theme to FINRA’s pandemic bulletin, it’s this: consider all the steps your company might take to keep going during a coronavirus scare. Then think about all the other risks that those steps bring.

For example, one obvious measure is to have people work from home. For lots of white-collar jobs, that’s at least somewhat feasible — but what new risks do you introduce by implementing that policy? (Especially since you might need to implement it without much advance notice.) Answering that question must be part of your pandemic risk assessment

Clearly you’d have more cybersecurity risk, if people are working on unsecured networks at home or in the field somewhere. You might (as FINRA noted in its examinations) have data availability risks if employees keep critical files on their hard drives rather than a corporate server. You’re also at higher risk of someone impersonating your employee while using his or her computer without permission. 

Those are just the risks that FINRA gives as examples; IT security folks could probably list many more. Regardless, once you ponder those secondary risks, what are the policies and remediation steps you could implement to reduce them? That’s the next question to answer. (Virtual private networks, cloud-based storage, two-factor authentication; those are some of the answers.)

FINRA also talks about challenges around supervising employees when everyone is working remotely. FINRA said it expects all firms “to establish and maintain a supervisory system reasonably designed to supervise the activities of each associated person while working from an alternative or remote location.” 

Sure, “supervisory system” has specific meaning to broker-dealer compliance — but the rest of us can still grasp the larger point here. Supervising employees when you can’t see them in person is tricky. Recall that survey of compliance officers published by Hogan Lovells in February; 56 percent of respondents said the decline of face-to-face transactions is a compliance concern, and another 57 percent said communication through messaging apps is, too. 

I have no specific advice on how to maintain good oversight and personal trust in times of virtual communication. (If you do, message me and I’ll post the best suggestions. Great way to pass your quarantine time.) But the point here is essentially the same as our cybersecurity examples, above. Consider the steps you need to take to keep working amid a pandemic, and then consider the new risks that those steps introduce into your enterprise. 

Vendor Risk, Redux

One final item worth noting actually comes from FINRA’s first pandemic guidance, issued back in 2009 when we were all worried H1N1 would sweep the globe. That guidance warned firms to understand the risks around “key dependencies” — which was an early way of describing what we call vendor risk today.

As that 2009 guidance says:

Firms need to identify their key dependencies and the risks a pandemic poses to these relationships. Key dependencies and critical relationships may be both internal and external to the firm. They may include dependencies on clearing firms, telecommunications networks, outsourcing/off-shoring providers, internal departments, mail service, utilities or other counterparties.

That advice is remarkably similar to the OCC guidance about vendor risk that we discussed just the other day. The OCC guidance is much more detailed about how to conduct a vendor risk assessment, and what assurances you should be trying to extract from vendors. But really, both agencies are stressing the same point: understand your vendor risks, and how you’d prepare to continue operations if disruption strikes— pandemic or otherwise. 

FINRA’s advice about key dependencies was this:

Firms should consider updating service-level agreements (SLAs) with their vendors, if they have not done so already, to address the potential impacts of a pandemic. Whether a key dependency is internal or external, firms must understand where a pandemic may concurrently impact a critical relationship.

Again: same advice, different regulator. OCC talked about managing language in contracts; FINRA talked about updating SLAs. 

FINRA’s pandemic guidance, both in 2009 and today, also stressed the importance of testing and updating your business continuity plan, so you’re ready for pandemic when it strikes. 

Then again, we’re past that point of testing, aren’t we? Wash your hands and stay safe.

Leave a Comment

You must be logged in to post a comment.