In view of the ongoing public health emergency caused by the Covid-19 outbreak, many securities broker-dealers are faced with the challenge of implementing business continuity plans (BCPs).
BCPs typically feature the use of emergency office relocations, remote office environments and/or telework arrangements. Firms should be mindful of their obligations under Financial Industry Regulatory Authority (FINRA) rules as they implement BCPs and take steps to comply with federal, state and local mandates designed to combat the spread of Covid-19.
To that end, on March 9, FINRA published Regulatory Notice 20-08, which highlights significant considerations related to BCPs and provides firms with minor regulatory relief from certain obligations.
Reviewing and Implementing BCPs
The notice advises firms to review their BCPs and ensure that such BCPs are sufficiently flexible to address the effects of the Covid-19 pandemic. Firms are encouraged to contact their designated FINRA risk monitoring analyst to discuss their BCPs before activation, and to address any unique issues the firm may be facing.
In particular, the notice emphasizes that firms should consider the effects of using remote offices and teleworking on firms’ technology infrastructure and cybersecurity, as well as on their communications with customers and FINRA.
Remote Offices and Teleworking
With respect to remote office and teleworking arrangements, the notice indicates that FINRA has suspended the requirement that firms update Form U4 information regarding employment addresses for registered persons who are relocated due to Covid-19.
Further, firms are not required to submit branch office applications (Form BR) for any newly opened temporary office locations or space-sharing arrangements established as a result of Covid-19 and recent events.
According to the notice, firms should alert their FINRA risk monitoring analyst as soon as possible after deciding to utilize any new business location. Such notice should indicate whether persons associated with the firm will be sharing space with another entity and, if so, the type of business in which the other entity is engaged.
The notice reminds firms of the risks associated with office sharing, including customer privacy, information security and customer confusion.
Related to this limited relief, firms should give consideration to FINRA’s definition of “branch office.” This generally excludes the “personal residences” of associated persons, but requires that all of a firm’s securities business be conducted through the firm’s systems and email.
Firms must also have written supervisory procedures that address supervision of all sales activities conducted from a personal residence. In the current environment, firms must ensure that associated persons who are teleworking limit their activities and communications to firm-approved applications and should employ, where appropriate, enhanced review of such personnel’s communications and activities, including personal trading activity.
The exclusion of “personal residences” does not apply to the personal residences of those that are responsible for supervising the activities of associated persons at non-branch offices. As a result, such supervisory locations are deemed “branch offices.”
The definition of “branch office” also excludes “a temporary location established in response to the implementation of a business continuity plan.”
The notice, however, states that firms that utilize emergency office space that otherwise meets the definition of a “branch office,” but is not registered with FINRA as such, should promptly provide written notification to their FINRA risk monitoring analyst after the arrangement is established.
Technology Infrastructure and Cybersecurity
The notice encourages firms to test the broad use of remote offices and telework systems in advance of activating their BCPs. Firms should ensure that personnel have access to critical firm systems and adequate and secured internet connectivity.
It reminds firms of the enhanced risk of cyber events and system attacks that may exist during a pandemic and in remote work environments. Firms are advised to take steps to enhance their surveillance against potential cyber threats and to mitigate the risk of cyber events occurring.
Among other things, firms should:
- ensure virtual private networks and other remote access systems are patched with up-to-date security protocols;
- test system access and entitlements;
- employ multi-factor authentication for remote access; and
- provide associated persons with educational materials and training related to detection and avoidance of cyber threats.
Firms should take these steps as soon as practicable and in advance of activating their BCPs.
Communications With Customers and FINRA
The notice anticipates a significant increase in customer calls and online account usage during a pandemic and in light of significant market movements. This increased volume may trigger operational challenges that inhibit the firm’s ability to communicate with customers.
Firms are encouraged to review their BCPs for these issues and ensure mechanisms are in place to allow customers to both communicate with the firm and access their funds and securities in the event of a business disruption.
The notice advises firms to promptly place announcements on their websites in the event registered representatives are unavailable. The announcements should indicate other points of contact for trade execution and account access. Firms are also advised to consider revising supervisory policies and procedures to address risks that may arise due to reduced ability to communicate.
The notice encourages firms to review their FINRA Rule 4370 emergency contact information and promptly update that information if appropriate.
Finally, the notice advises firms to closely monitor regulatory filings, inquiries and investigations. FINRA is urging firms to contact their FINRA risk monitoring analyst or relevant FINRA department to obtain extensions.
In considering regulatory filings and extensions, firms are also reminded of the requirements of Rule 15c3-3 under the Securities Exchange Act of 1934 regarding reserve formula computation and deposit requirements designed to protect customer assets. The notice states that FINRA may waive any late fees that a firm would ordinarily incur in light of the circumstances.
Firms should carefully review the notice and any additional regulatory updates that may be issued in the future. Additionally, firms should take steps to assess their BCPs, test remote work arrangements for functionality and security, and communicate promptly with customers and regulators, including FINRA.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Riccardo M. DeBari is a partner in Thompson Hine’s Business Litigation practice group in New York. His practice spans many areas of complex civil litigation and commercial arbitration, including broker-dealer litigation and securities law, white collar defense and investigatory matters, commercial contract actions and product liability.
Brian Lanciault is an associate in the Business Litigation group, and advises clients in connection with complex commercial litigation, shareholder derivative suits, corporate governance matters, and compliance with federal securities laws, anti-money laundering statutes and the Bank Secrecy Act.