[Federal Register Volume 67, Number 174 (Monday, September 9, 2002)]
[Notices]
[Pages 57257-57260]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-22772]



[[Page 57257]]

-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-46444; File No. SR-NASD-2002-108]


Self-Regulatory Organizations; Notice of Filing of Proposed Rule 
Change by the National Association of Securities Dealers, Inc. Relating 
to Business Continuity Plans and Emergency Contact Information

August 30, 2002.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(``Act''),\1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that 
on August 7, 2002, the National Association of Securities Dealers, Inc. 
(``NASD'') filed with the Securities and Exchange Commission (``SEC'' 
or ``Commission'') the proposed rule change as described in Items I, 
II, and III below, which Items have been prepared by NASD. The 
Commission is publishing this notice to solicit comments on the 
proposed rule change from interested persons.\3\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ The Commission notes that the New York Stock Exchange, Inc. 
(``NYSE'') has proposed a substantially similar business continuity 
plan rule (File No. SR-NYSE-2002-35). The Commission intends to 
notice concurrently both the NASD proposal and the NYSE proposal. 
The Commission further notes that, while the NASD rule would 
potentially apply to dual NASD and NYSE members, the similarity of 
the NASD and NYSE proposed rules should prevent conflicting 
compliance obligations on the part of such dual members.
---------------------------------------------------------------------------

I. Self-Regulatory Organization's Statement of the Terms of Substance 
of the Proposed Rule Change

    NASD is proposing a rule change to require member firms to create 
and maintain business continuity plans and supply NASD with certain 
information to be used in the event of future significant business 
disruptions. Below is the text of the proposed rule change. Proposed 
new language is in italics.

Rule 3500. EMERGENCY PREPAREDNESS

Rule 3510. Business Continuity Plans

    (a) Each member must create and maintain a written business 
continuity plan identifying procedures to be followed in the event of 
an emergency or significant business disruption. The business 
continuity plan must be made available promptly upon request to NASD 
staff.
    (b) Each member must conduct an annual review of its business 
continuity plan to determine whether any modifications are necessary in 
light of changes to the member's operations, structure, business or 
location.
    (c) The requirements of a business continuity plan are flexible and 
may be tailored to the size and needs of a member. Each plan, however, 
must at a minimum, address:
    (1) Data back-up and recovery (hard copy and electronic);
    (2) All mission critical systems;
    (3) Financial and operational assessments;
    (4) Alternate communications between customers and the member;
    (5) Alternate communications between the member and its employees;
    (6) Business constituent, bank and counter-party impact;
    (7) Regulatory reporting; and
    (8) Communications with regulators.
    (d) For purposes of this rule, the following terms shall have the 
meanings specified below:
    (1) ``Mission critical system'' means any system that is necessary, 
depending on the nature of a member's business, to ensure prompt and 
accurate processing of securities transactions, including, but not 
limited to, order taking, order entry, execution, comparison, 
allocation, clearance and settlement of securities transactions, the 
maintenance of customer accounts, access to customer accounts and the 
delivery of funds and securities.
    (2) ``Financial and operational assessment'' means a set of written 
procedures that allows a member to identify changes in its operational, 
financial, and credit risk exposures.

Rule 3520. Emergency Contact Information

    (a) Each member shall report to NASD, via such electronic or other 
means as NASD may require, prescribed emergency contact information for 
the member. The emergency contact information for the member includes 
designation of two emergency contact persons. Each emergency contact 
person shall be a member of senior management and a registered 
principal of the member.
    (b) Each member must update its emergency contact information, via 
such electronic or other means as NASD may require, in the event of any 
material change, but at a minimum must review the information contained 
therein twice a year to ensure its accuracy.

II. Self-Regulatory Organization's Statement of the Purpose of, and 
Statutory Basis for, the Proposed Rule Change

    In its filing with the Commission, NASD included statements 
concerning the purpose of and basis for the proposed rule change and 
discussed any comments it received on the proposed rule change. The 
text of these statements may be examined at the places specified in 
Item IV below. NASD has prepared summaries, set forth in Sections A, B, 
and C below, of the most significant aspects of such statements.

A. Self-Regulatory Organization's Statement of the Purpose of, and 
Statutory Basis for, the Proposed Rule Change

1. Purpose
    The purpose of the proposed rule change is to help to ensure that 
NASD members will be able to continue their business in the event of 
future significant business disruptions. In the wake of the events of 
September 11, 2001, the securities markets and industry showed an 
impressive ability to recover and continue their business. Given the 
events of this period, NASD examined the industry's recovery capability 
in greater detail to determine whether any regulatory action was needed 
to assure swift recovery in the event of any future significant 
business disruptions. Based upon these findings, NASD is proposing a 
rule change that will require members to create and maintain business 
continuity plans and supply NASD with emergency contact information. 
NASD believes that this proposed rule change is essential to investor 
protection and market integrity.

NASD Survey Initiative

    To fully understand the ability of members to respond to 
significant business disruptions, such as those resulting from the 
tragedy of September 11th, NASD surveyed 150 randomly selected member 
firms and 120 of the largest member firms. The 150 firms chosen to 
participate in the survey represent a statistically random sample of 
the entire NASD membership (approximately 5,600 NASD members) 
proportionately separated into the three categories of introducing, 
clearing/self-clearing, and specialty products firms. In addition, NASD 
selected 120 of the largest member firms to survey based on the number 
of registered persons associated with the firm. These firms 
collectively represent 70 percent of the registered representative 
population. The survey questions sent to the 120 large firms were 
identical to those sent to the 150 randomly selected firms. The results 
received from the survey sent to the larger firms are distinct from the 
random sample results and do not overlap.
    As further detailed below, the survey revealed many encouraging 
results. At

[[Page 57258]]

the same time, the survey showed that a significant number of the 
randomly selected NASD member firms do not have business continuity 
plans in place. In addition, a significant number of smaller and mid-
sized firms do not store back-up data and systems in a geographically 
separate location from their primary systems and records. Approximately 
two-thirds of the randomly selected firms and almost all of the larger 
firms can recover data from a remote site. Further, less than half of 
the randomly selected firms and three-fourths of the larger firms have 
back-up facilities in place that have the capacity to handle the same 
volume of trading as the primary facility. Nearly all member firms 
perform daily or weekly back-up of records.
    Not surprisingly, the maintenance of trading and investor records 
by a clearing firm for an introducing firm is common. Financial 
records, however, are less likely to be maintained by a correspondent's 
clearing firm. Although clearing firms do maintain certain records for 
introducing firms, over one-fourth of the introducing firms reported 
that there are significant records that are not kept at their clearing 
firm. This was confirmed by clearing firms. The survey results showed 
that approximately 85 percent of the larger firms have back-up systems 
to accommodate investor communications between the firm and its 
customers. In comparison, less than half of the randomly selected firms 
maintain such systems. Almost three-fourths of the larger firms and 
less than one-fourth of the randomly selected firms maintain Internet 
Web sites that allow for customer transactions and emergency 
communications with investors.
    Importantly, the survey also focused on the capability of firms 
following the September 11th tragedy to ensure that customers had 
access to their accounts. Very few firms reported that their customers 
were unable to execute securities transactions in their accounts when 
the markets became operational following the September 11th tragedy.
    The survey examined the ability of NASD members to communicate with 
key staff during a significant business disruption. Virtually all of 
the randomly selected firms and the larger firms maintain a readily 
available list of contact information for the purpose of locating and 
communicating with key staff during a significant business disruption. 
In addition, approximately three-fourths of the randomly selected firms 
and almost all of the larger firms maintain a readily available list of 
contact information for clearance and settlement organizations, banks, 
counter-parties, key business relationships, and regulators.
    Finally, the survey questioned whether it would be helpful for NASD 
to serve as a central repository for firms' business continuity plans 
and emergency contact numbers for key organizations (e.g., Securities 
and Exchange Commission, Depository Trust & Clearing Corporation, 
National Securities Clearing Corporation, and Federal Reserve Bank). A 
substantial number of firms responded that a repository service would 
be helpful.

NASD Proposed Rules

Rule 3510. Business Continuity Plan Requirement

    Based upon the survey findings, discussions with the SEC and the 
United States General Accounting Office, the experiences of September 
11th, and comment letters received in response to Notice to Members 02-
23 (April 2002) (``NtM 02-23''), NASD believes that member firms should 
be required to create and maintain business continuity plans. The 
proposed rule change recognizes that business continuity plans should 
reflect the particular operations and activities of a member. Given the 
diverse nature of the NASD membership, the proposed rule change allows 
member firms to tailor plans to suit their size, business, and 
structure. The proposed rule change, however, requires that a member's 
business continuity plan must, at a minimum, address:
    [sbull] data back-up and recovery (hard copy and electronic);
    [sbull] mission critical systems;
    [sbull] financial and operational assessments;
    [sbull] alternate communications between customers and the member;
    [sbull] alternate communications between the member and its 
employees;
    [sbull] business constituent, bank and counter-party impact;
    [sbull] regulatory reporting; and
    [sbull] communications with regulators.
    The proposed rule change defines ``mission critical system'' as any 
system that is necessary, depending on the nature of a member's 
business, to ensure prompt and accurate processing of securities 
transactions, including, but not limited to, order taking, entry, 
execution, comparison, allocation, clearance and settlement of 
securities transactions, the maintenance of customer accounts, access 
to customer accounts, and the delivery of funds and securities. This 
definition is materially consistent with the SEC's definition of 
``mission critical system'' in its Year 2000 Rule.\4\
---------------------------------------------------------------------------

    \4\ See 17 CFR 240.15b7-3T(g)(1).
---------------------------------------------------------------------------

    Under the proposed rule change, plans must be made available to 
NASD staff for inspection during routine examinations and promptly upon 
request by NASD staff. The proposed rule change requires that each 
member conduct an annual review of its business continuity plan to 
determine whether any modifications are necessary in light of changes 
to the member's operations, structure, business, or location. In 
addition, modifications may be necessary due to significant changes in 
technology that affect a member's operations or business.
    NASD also will offer a voluntary repository service for members' 
business continuity plans. In the event that a member is unable to gain 
access to its business continuity plan, the member using the repository 
service could contact NASD staff to obtain a copy of its plan. 
Similarly, if NASD could not contact a particular firm due to a 
disaster, it would have a greater opportunity to protect investors and 
the marketplace, and address concerns, if it had the firm's plan on 
file. A reasonable, but yet undetermined, fee will be charged to those 
that opt to take advantage of this service.

Rule 3520. Emergency Contact Information

    NASD's experience in the aftermath of September 11th confirms that 
NASD needs a fully reliable means of contacting firms in the event of 
an emergency. The proposed rule change would require NASD members to 
file and keep current with the NASD certain key information that would 
be of particular importance during significant business disruptions, 
including:
    [sbull] emergency contact information for key staff;
    [sbull] identification of two designated contact persons;
    [sbull] location of books and records (including back-up 
locations);
    [sbull] clearance and settlement information;
    [sbull] identification of key banking relationships; and
    [sbull] alternative communication plans for investors.
    To lessen any burden imposed by the proposed rule change, NASD 
intends initially to collect the emergency contact information through 
the Member Firm Contact Questionnaire on the NASD Web-Site. Pursuant to 
Article IV, Section 3 of the NASD By-Laws, NASD members are required to 
appoint

[[Page 57259]]

an executive representative to represent, vote, and act for the member 
in nearly all of the affairs of NASD. An NASD member must appoint an 
executive representative and update contact information for the 
executive representative via the Member Firm Contact Questionnaire on 
the NASD Web site. At this point in time, NASD believes that amending 
the questionnaire, rather than creating a new form or pursuing 
amendments to Form U-4 or Form BD, minimizes any regulatory burden 
placed on NASD members and limits the costs associated with supplying 
NASD with emergency contact information. Finally, the proposed rule 
change requires NASD members to update their emergency contact 
information in the event of any material change, and at a minimum to 
review the information twice a year, to ensure its accuracy.
    Finally, NASD anticipates issuing additional guidance, including a 
template, to assist firms in satisfying obligations under the proposed 
rule change.
2. Statutory Basis
    NASD believes that the proposed rule change is consistent with the 
provisions of Section 15A(b)(6) of the Act,\5\ which requires, among 
other things, that the NASD's rules must be designed to prevent 
fraudulent and manipulative acts and practices, to promote just and 
equitable principles of trade, and, in general, to protect investors 
and the public interest. NASD believes that the proposed rule change 
will help to ensure that members are prepared for significant business 
disruptions, and that it is consistent with the Act.
---------------------------------------------------------------------------

    \5\ 15 U.S.C. 78o-3(b)(6).
---------------------------------------------------------------------------

B. Self-Regulatory Organization's Statement on Burden on Competition

    NASD Regulation does not believe that the proposed rule change 
would result in any burden on competition that is not necessary or 
appropriate in furtherance of the purposes of the Act.

C. Self-Regulatory Organization's Statement on Comments on the Proposed 
Rule Change Received from Members, Participants, or Others

    The proposed rule change was published for comment in NtM 02-23. 
Seventeen comment letters were received in response to the Notice. Of 
the 17 comment letters received, 14 were in favor of the proposed rule 
change and 3 were opposed. The specific concerns raised by commenters 
are addressed below.

Categories of a Member Firm's Business Continuity Plan

    A few commenters to NtM 02-23 believed that the enumerated 
categories for a member's business continuity plan were over-inclusive. 
NASD, however, believes that the categories strike an appropriate 
balance between ensuring that a member's plan adequately addresses all 
key areas of its business and allowing a member firm to tailor its plan 
to its specific size, business, and structure. Further, each member's 
business continuity plan will only be required to address the eight 
listed categories stated in proposed NASD Rule 3510(c)(1-8) to the 
extent applicable and necessary. For example, if a member does not 
maintain customer accounts at its firm, the member's plan should 
indicate this fact in its plan.
    One commenter to NtM 02-23 stated that NASD should review 
individual plans to ensure adequacy. In contrast, another commenter 
indicated that NASD should not review individual plans for adequacy. 
NASD will limit its review of a member firm's business continuity plan 
to whether the plan addresses the eight listed categories stated in 
proposed NASD Rule 3510(c)(1-8). The nature of the review will ensure 
that NASD is not micro-managing the business operations of each 
individual firm while ensuring that each plan addresses certain basic 
areas to protect the investing public and integrity of the markets.

Definition of Mission Critical System

    One commenter to NtM 02-23 believed that the definition of 
``mission critical system'' should include infrastructure. While the 
term infrastructure is not expressly included in the definition of 
``mission critical system,'' NASD believes that infrastructure is fully 
addressed through the definition of ``mission critical system'' because 
the rule's purpose is to help to ensure that a member firm will have 
the ability to continue business during a significant business 
disruption. As a result, any damage to any infrastructure that affects 
a member's ability to conduct business because of its effect on a 
mission critical system must be addressed in any plan.

Definition of Financial and Operational Assessments

    Based upon comment letters received in response to NtM 02-23, NASD 
has amended the definition of ``financial and operational assessment.'' 
In NtM 02-23, NASD defined ``financial and operational assessment'' as 
``a procedure created by a firm to test and determine the firm's 
capability to conduct business.'' The new definition states that 
financial and operational assessment means ``a set of written 
procedures that allows a member firm to identify changes in its 
operational, financial, and credit risk exposures.'' Operational risk 
focuses on the firm's ability to maintain communications with customers 
and to retrieve key activity records through its ``mission critical 
systems.'' Financial risk relates to the firm's ability to continue to 
generate revenue, and obtain new or retain adequate financing and 
sufficient equity. In addition to the possibility of experiencing 
operating losses, the value of the firm's investments may deteriorate 
due to the lack of liquidity in the broader market, which would also 
hinder the ability of the firm's counter-parties to fulfill their 
obligations. A firm would be expected to periodically assess the 
changes in these exposures, and quickly make such an assessment in 
connection with a significant business disruption. The procedures 
should be written and implemented to reflect the interrelationship 
among these risks. NASD believes that the new definition and guidance 
contain the appropriate level of specificity to assist members in 
creating their business continuity plans.

Proposed Rule Change's Applicability to Subsidiaries

    One comment letter raised a concern over whether a parent 
corporation would need to create a business continuity plan for each 
subsidiary member firm or whether the parent corporation could 
institute a corporate-wide business continuity plan. NASD believes that 
a subsidiary member firm may satisfy its obligations under the proposed 
rule change by participation in a corporate-wide business continuity 
plan of a parent corporation that addresses its subsidiary member 
firms. As a result, a subsidiary member firm may rely on the corporate-
wide business continuity plan of its parent corporation regardless of 
whether the parent corporation is a member or non-member. The parent 
corporation's business continuity plan, however, must comply fully with 
proposed NASD Rule 3510 and address all requirements under the proposed 
rule change. In addition, the parent and subsidiary corporations must 
both comply with NASD rules on record-keeping and supervision for 
purposes of proposed NASD Rule 3510. Finally, the parent corporation 
must grant NASD access to its business continuity plan upon request.

[[Page 57260]]

Updating Business Continuity Plans

    The proposed rule change requires that each member conduct an 
annual review of its business continuity plan to determine whether any 
modifications are necessary in light of changes to the member's 
operations, structure, business, or location. A comment letter received 
from the Securities Industry Association (``SIA'') stated that the duty 
to update should only be triggered by changes in the nature of a 
member's business and other material factors. In addition, another 
commenter suggested that plans might need to be updated more frequently 
based on changes in technology. NASD believes that it is good business 
practice for members to update their business continuity plans each 
time there is a material change but that a regulatory requirement for 
this would be unduly burdensome. Accordingly, the proposed rule change 
requires members to annually update their business continuity plans.
    SIA also pointed out that the duty to update a business continuity 
plan may implicate NASD rules on record keeping and supervision. 
Members must document and keep records of the annual review or any 
modification to their business continuity plan in accordance with NASD 
record keeping requirements. In addition, when updating plans, the 
member must conduct the review in accordance with NASD rules on 
supervision.

Repository Service

    Comments received in response to NtM 02-23 indicated substantial 
support for a voluntary repository filing service for member's business 
continuity plans. Ameritrade, Inc. commented that it was concerned 
about the confidentiality of proprietary information under this 
service. NASD intends that all proprietary information contained in a 
member firm's business continuity plan and held by NASD through its 
repository service will remain confidential unless the information is 
otherwise publicly available or NASD is required to disclose the 
information by subpoena or otherwise by law. In addition, since NASD is 
subject to oversight by the SEC, it will provide the SEC with access to 
business continuity plans held by NASD.

Burden on Small Firms

    Three commenters were concerned about the burden that the proposed 
rule change would have on small firms. Given the flexibility of the 
rule and the recognition given to the diverse nature of the NASD 
membership, NASD believes that small firms will be able to comply with 
the rule through reasonable efforts and cost. Importantly, the rule 
should not require firms to hire outside consultants to create business 
continuity plans. In addition, NASD anticipates issuing future 
guidance, including a template, to assist member firms, particularly 
small firms, in creating their own business continuity plans.

Emergency Contact Information

    Originally, the proposed rule only required a member to designate 
one emergency contact person. In light of comments received in response 
to NtM 02-23, NASD has changed the requirements under the proposed rule 
to include two emergency contact persons. NASD believes that 
designating two persons will increase the likelihood that, in the event 
of a significant business disruption, NASD staff will be able to 
contact the member firm.
    In addition, SIA commented that NASD should proactively query firms 
for contact information. NASD, however, believes that this duty should 
lie with the member firm because the member will be best able to 
identify when a material change has taken place. Further, SIA commented 
that NASD should provide contacts for member firm problems. NASD 
believes that it has already established avenues for member firms to 
contact NASD in the event of a significant business disruption. For 
example, the NASD Web site provides phone numbers for members to call 
with any questions.

III. Date of Effectiveness of the Proposed Rule Change and Timing for 
Commission Action

    Within 35 days of the date of publication of this notice in the 
Federal Register or within such longer period (i) as the Commission may 
designate up to 90 days of such date if it finds such longer period to 
be appropriate and publishes its reasons for so finding, or (ii) as to 
which the self-regulatory organization consents, the Commission will:
    A. By order approve such proposed rule change, or
    B. Institute proceedings to determine whether the proposed rule 
change should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views, and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Act. Persons making written submissions 
should file six copies thereof with the Secretary, Securities and 
Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549-0609. 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed rule change that are filed with 
the Commission, and all written communications relating to the proposed 
rule change between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for inspection and copying in the 
Commission's Public Reference Room. Copies of such filing will also be 
available for inspection and copying at the principal office of the 
NASD. All submissions should refer to File No. SR-NASD-2002-108 and 
should be submitted by September 30, 2002.

    For the Commission, by the Division of Market Regulation, 
pursuant to delegated authority.\6\
---------------------------------------------------------------------------

    \6\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Margaret H. McFarland,
Deputy Secretary.
[FR Doc. 02-22772 Filed 9-6-02; 8:45 am]
BILLING CODE 8010-01-P