Retail Banking: Business Continuity Planning
We found that firms often take steps to build resilience to prevent events from occurring. However, anticipating that events will occur and carrying out proper planning and testing will allow firms to be better prepared to respond and recover from events – eg. pre-prepared communication plans.
We expect firms to proactively identify, test and revise the relevant capabilities (eg. people, processes, systems) which mitigate harm in the event of an incident. If there are areas that could be enhanced, we expect appropriate action to be prioritised, so that firms can deal effectively with incidents and harm is reduced when they do occur. This should be part of the ongoing assessment of systems and controls and is highlighted in the Discussion Paper on Operational Resilience that we published jointly with the PRA. This will help firms to be better prepared to respond and recover when events occur.
Examples of good practice and potential areas for enhancement
Planning and preparation
- Most firms had a documented BCP strategy approved at Board level, with a clearly defined risk appetite. Documenting the appetite for event occurrence and recovery can guide a clear strategy for event management, including the roles and responsibilities of individuals.
- Some firms had real-time monitoring tools allowing frontline staff to track the performance of services, with automated alerts on new events sent to senior management at defined trigger points. Tracking an event in real time enables enhanced event management capabilities.
- All firms used governance forums for approval, challenge and maintenance of policies, plans and frameworks to ensure that the appropriate accountability and responsibility for managing BCP is applied.
- Some firms considered real life scenario testing that goes beyond the basic scenarios of denial of premises access and denial of IT Service. They used real life events and potential events to test their colleagues’ understanding of responsibility, capabilities to adapt and critical decision making.
- Most firms had identified and documented customer critical processes so that if they are affected during an event, they can be prioritised swiftly for action to reduce harm.
Potential areas for enhancement
- Most firms did not adequately consider the link between business continuity and large-scale change projects or routinely revisit plans in anticipation of ‘go-live launches’. When implementing significant changes, we strongly encourage firms to plan for unanticipated disruptions so that any response implemented is adequate, swift and reduces harm effectively.
- Most firms had training that covers the requirements for technical staff, but we did not see relevant and tailored training across all firms that covered all colleagues. Training of this nature would raise awareness and understanding of roles and responsibilities, which would enable swift and effective action by staff during an event. It also makes clear what is expected of individuals.
- We encourage firms to consider defining a broad range of test events covering multiple scenarios, so that plans can be tested regularly, improved as necessary and kept current and proportionate to the nature, scale and complexity of the risks inherent in the business model of the firm.
- Some firms did not ensure that BCP is a priority for attention at the highest level of the organisation – eg. Executive Committee and Board. Also, challenge on current capabilities was not encouraged by those responsible for BCP.
- Some firms had crisis management plans containing detailed pre-drafted and pre-approved communication plans for internal/external stakeholders (including their customers). These covered the specific messages to be used, how they should be issued and in which instances. This enabled fast reaction times when events occurred and was part of preparation work completed.
- Most firms documented several contingencies for their customer critical processes, and where gaps existed there were plans in place to make the necessary improvements.
- Some firms used flexible (internal and external) resource plans to ensure that the firm has the capability to quickly move resources to where they are most needed in an emergency. This means customer harm is reduced and solutions are implemented quickly.
Potential areas for enhancement
- Most firms had not created and developed ‘playbooks’ that cover different potential scenarios with multiple impacts. Firms should consider whether these documents should include guidance on the appropriate communication steps to be taken, the contingencies required to respond and the roles and responsibilities of the individuals managing the event.
- We encourage firms to consider that any response to an incident be managed and driven by appropriate individuals – eg. an individual with appropriate knowledge, experience and seniority. Firms should also consider whether internal or external independent oversight and challenge on the robustness of proposed solutions, and the speed with which they are implemented is required.
- Depending on the nature, scale and complexity of their business, firms should consider whether individuals responsible for implementing the required solutions and fixes should be responsible for verifying that those solutions are adequate and appropriate. Firms should consider whether the verification for these solutions should be carried out by an appropriate impartial group or individual – eg. 2nd Line of Defence Risk, Internal Audit, Third Party opinion.
A firm’s approach to returning to ‘normal’ or ‘new normal’ service following an event and how the firm ensures potential or actual consumer harm is identified at the earliest opportunity and remediated swiftly.
ICBA will respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, and protecting all of the firm’s books and records. If the firm determines it is unable to continue business, proper notification will be made to regulators and business constituents.
Significant Business Disruptions (SBDs)
The BCP anticipates two kinds of SBDs, internal and external. Internal SBDs affect only the ability to communicate and do business, such as a fire in the building. External SBDs prevent the operation of the securities markets or a number of firms, such as a terrorist attack, a city flood, or a wide-scale, regional disruption. The firm’s response to an external SBD relies more heavily on other organizations and systems. While ICBA does not have customers or conduct a securities business, certain books and records are stored and maintained by other entities.
Approval and Execution Authority
Plan Location and Access
ICBA will maintain copies of the BCP plan and annual reviews, and the changes that have been made to it for inspection. An electronic copy of our plan is stored electronically on a Vining Sparks network server, which is backed up to a data center located in Dallas.
149 BUSINESS CONTINUITY MANAGEMENT
Policy statement 1 . BSFIs can be adversely affected by disruption of critical operations due to internal and external threats, which may be natural, man-made or technical in origin. Extreme events may cause major disruptions whose impact are very broad in scope, duration or both and can pose a substantial risk to the continued operation of BSFIs. Because BSFIs play a crucial role in the financial system and economy as a whole, it is important to ensure that their operations can withstand the effects of major disruptions. Thus, BSFIs need to have a comprehensive business continuity management (BCM) process as an integral part of their operational risk management system. A well-designed BCM process enables BSFIs to resume critical operations swiftly and minimize operational, financial, legal, reputational, and other material risks arising from a disruption. This also helps mitigate systemic risks as well as maintain public trust and confidence in the financial system.
Purpose, applicability, and scope. The guidelines aim to promote sound management of business continuity risks. These align existing regulations, to the extent possible, with leading standards and recognized principles on BCM, and shall serve as the Bangko Sentral’s baseline requirement for all BSFIs.
The guidelines shall apply to BSFIs which include banks, non-banks with quasi-banking function (NBQB), non-bank electronic money issuers and other non-bank institutions which under existing Bangko Sentral rules and regulations and special laws are subject to Bangko Sentral supervision and/or regulation. Moreover, subject guidelines shall also apply to BSFIs with offshore data processing as may be appropriate to their situation.
a. Alternate and Business Recovery Sites shall refer to standby facilities for use during disruption of critical operations to ensure business continuity. These provide work space and/or the necessary technology environment needed to process business-critical information. Organizations may have more than one (1) alternate site. In some cases, alternate sites may involve facilities that are used for normal day-to-day operations but which are able to accommodate additional business processes when a primary location becomes inoperable. Examples of alternate sites include relocation and disaster recovery sites, whether managed directly or maintained by a third party for a BSFI or for use by multiple organizations.
c. Business Continuity Management (BCM) shall refer to an enterprise-wide framework encompassing policies, standards, facilities, personnel and practices that provides for continuous functioning of the institution during disruptions. It is proportionate to the BSFI’s internal and external risk exposures and tailored to the nature, scale, and complexity of its business.
d. Business Continuity Plan (BCP)/Plan shall refer to a documented plan detailing the orderly and expeditious process of recovery, resumption, and restoration of business functions in the event of disruptions. It should be able to cover and establish linkages among its multiple components, such as communication plan, crisis management plan, contingency funding plan, and technology recovery plan.
e. Business Impact Analysis (BIA) shall refer to the process of identifying and measuring (quantitatively and qualitatively) the business impact or loss of business processes in the event of a disruption. It is used to identify recovery priorities, recovery resource requirements, essential staff, and dependencies (internal and external) to be incorporated in the plan.
g. Crisis Management Plan (CMP) shall refer to a documented plan detailing the actions to be taken when a crisis strikes a BSFI and designed to maintain order amidst the confusion surrounding such situations. During and immediately after a crisis, the members of the crisis management team will convene and activate the plan to attain control over the crisis and minimize its impact to operations.
m. Recovery Time Objective (RTO) shall refer to the period of time following an incident within which a product, system or business process must be resumed or resources must be recovered.
o. Risk Assessment shall refer to the process involving the identification and assessment of potential threats and vulnerabilities that could severely interrupt a BSFI’s business activities and the corresponding likelihood and magnitude of impact on business processes.
p. Technology Recovery Plan (TRP)/Disaster Recovery Plan (DRP) shall refer to a documented plan detailing the technology strategy and requirements during recovery for business and support functions. The relevant regulations are in Item “184.108.40.206” of Appendix 77.
a. Board of directors and senior management. The BSFI’s board and senior management are responsible for overseeing the implementation of a sound BCM process, which involves the creation and promotion of an organizational culture that places high priority on business continuity. This should be reinforced by providing sufficient financial and human resources associated with the BSFI’s business continuity initiatives. Senior management should establish BCM policies, standards, and processes, which must be duly endorsed to and approved by the board.
Business Continuity Plan
Business Continuity Planning FAQ
The purpose of the disclosure requirement in FINRA Rule 4370(e) is to assist customers in making educated decisions about whether to place their funds and securities at a specific firm. The disclosure may state that the firm’s BCP is subject to modification. Each firm is required to disclose to its customers how its BCP addresses the possibility of a future significant business disruption and how the firm plans to respond to events of varying scope. However, firms are not required to disclose their actual BCP, including any proprietary information, but rather can provide appropriate levels of summary information.
2. Our firm’s business consists primarily of selling variable insurance products. Although we sell the product, the customer needs to deal with the insurance company in question if there is a problem. How do we treat this situation in our BCP under FINRA Rule 4370?
A firm that sells variable insurance products cannot defer its regulatory and customer protection responsibilities to a third party. A firm may, however, tailor its BCP to the needs and business of the firm. In tailoring the plan, the firm must consider its customers’ needs in the event of a significant business disruption, and plan accordingly. In the situation presented, the plan should, for instance, consider what the firm’s primary responsibilities are, but also include information on the entities that customers would need to contact to access their assets and funds. The firm should also provide customers with any needed information regarding assets held away from the firm.
3. Our firm is a market maker that deals solely with other firms, so we have no retail “customers.” To whom, if anyone, should we disclose how our BCP addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?
As we have stated, each firm’s BCP must be tailored to meet its specific needs. This underlying principle also applies to disclosure of how a firm plans to address a significant business disruption. Therefore, although there is no obligation to disclose how your BCP addresses the possibility of a future significant business disruption to non-customers, a copy of the disclosure should be made available to any non-customer with which you do business so that these individuals and firms can determine for themselves the efficacy of the firm’s BCP.
4. In what manner should our firm disclose to our customers a summary of how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond under FINRA Rule 4370?
FINRA Rule 4370 requires each firm to conduct an annual review of its BCP. In addition to an annual review, your firm must update its BCP in the event of any material change to your firm’s operations, structure, business, or location.
Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member’s Internet Web site (if the member maintains a Web site), and mailed to customers upon request.
The intent behind this part of the rule is to provide customers and counterparts with appropriate levels of information so that they may make an informed decision about doing business with your firm.
7. Our firm’s business is done solely on an RVP/DVP basis. To whom should we disclose how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?
BCPs should be reasonably designed to enable a firm to meet its existing obligations to customers and address existing relationships with other broker/dealers and counterparties. To the extent a firm does not have any customers, it should disclose this information to the business constituents or other non-customers that rely on the firm as part of the overall transaction process.
8. My firm is a sole proprietorship. I am the sole registered principal, but I employ two registered representatives. I will register myself as the first emergency contact person, but who should be the second emergency contact person under FINRA Rule 4370?
The second emergency contact person should be one of the registered representatives at your firm who is a member of senior management and has knowledge of your firm’s business operations.
FINRA Rule 4370(e) does not require firms to disclose their entire BCPs to their customers. Under this rule, members are required only to summarize the manner in which their BCPs address the possibility of significant business disruptions. Firms are not required to disclose the specific location of any back-up facilities, any proprietary information contained in the BCP, or the parties with whom the firm has back-up arrangements. Instead, the disclosure should address how the firm would react to events of varying scope. For example, the disclosure should provide: