No doubt about it, businesses across the U.S. have been tested in recent years. From 9/11 to Hurricane Katrina to the Valley Fire to Hurricane Sandy and now, sadly, Tropical Storm Harvey, almost every part of the country has been touched by unforeseen circumstances that have threatened the survival of businesses as well as people. With each event came new lessons learned about the need to protect employees and business assets, as well as organizations themselves, against situations that threaten their existence.
The result of these challenges has been a revival of business continuity (BC) planning. Where BC was once focused solely on IT disaster recovery, lacking in strong business continuity standards, today’s BC looks different: It is precise, comprehensive, and governed by intelligent regulations that reflect the current business environment and focus on conditions necessary to survive.
Business continuity for banks, in particular, has evolved. The Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook—the gold standard for the banking industry—was updated recently, with rumors it may be further updated again in the near future. But FFIEC isn’t the only guideline or standard to be concerned with if you work in the financial industry. Depending on the business you’re in and the associations you have (for example, if your company isn’t a bank but provides an important service to banks), one of the resources below may apply to you. (Keep in mind that if your business is involved in investing and banking, more than one standard may apply.)
Business Continuity Standards For Banks, Financial Service Institutions, & Credit Unions
FFIEC: Business Continuity Planning Booklet (2008)
Who it applies to: U.S. banks and their service providers.
What it is: The FFIEC is responsible for establishing standards that promote uniform supervision of financial institutions. A 2008 update of the booklet focused on the responsibilities of the board and senior management as they apply to business continuity. It also included increased focus on the business impact analysis and the addition of pandemic planning, a push toward sound risk management with an emphasis on proactive risk mitigation.
In 2015, the FFIEC released a new appendix to the Business Continuity Planning booklet regarding business continuity for banks. Appendix J: Strengthening the Resilience of Outsourced Technology Services highlights the fact that a financial institution’s reliance on third-party service providers with regard to critical operations does not relieve a financial institution of its responsibility to ensure that those outsourced activities are conducted in a safe manner. It includes four elements banks should address to ensure they are contracting with technology service providers that will enhance the resilience of technology services.
The FFIEC suggests links to some relevant guidance from numerous sources, including the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board, the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision. Here are just a few items of interest to BC planners:
FDIC: Security Monitoring of Computer Networks FIL-67-2000
Who it applies to: All financial institutions that maintain computer networks connected to the internet.
What it is: This Financial Institution Letter (FIL) outlines some suggested practices for maintaining secure network operating systems and application programs that utilize those operating systems, addressing the need to watch for both external and internal threats to computer networks.
FDIC: Risk Management of Technology Outsourcing FIL-81-2000
Who it applies to: U.S. financial institutions and their service providers.
What it is: The FDIC, together with the other federal regulators of banks, thrifts, and credit unions, issued this joint guidance on managing the risk exposure an institution faces when it uses outside firms for technology. Key management issues include risk assessment, service provider selection, contract terms, and oversight of outsourcing arrangements.
FDIC: Security Standards for Customer Information FIL 22-2001
Who it applies to: U.S. financial institutions and their service providers.
What it is: These guidelines establish standards for safeguarding customer information as required by the Gramm-Leach-Bliley Act (GLBA), which compels banking agencies to establish appropriate standards for financial institutions relating to the administrative, technical, and physical safeguards of customer records and information.
Make sure your business recovery plans are thorough and complete with the help
of this free guide.
Federal Reserve System: Guidance on Managing Outsourcing Risk SR 13-19/CA 13/21
Who it applies to: All financial institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.
What it is: These documents are designed to assist financial institutions with understanding and managing the risks associated with outsourcing a bank activity to a service provider; and to address the characteristics, governance, and operational effectiveness of a financial institution’s service provider risk management program for outsourced activities beyond traditional core bank processing and information technology services.
Federal Reserve System: Supervisory Practices Regarding Banking Organizations and Their Borrowers and Other Customers Affected by a Major Disaster or Emergency SR 13-6/CA 13-3
Who it applies to: All state member banks, bank holding companies, savings and loan holding companies, and U.S. offices of foreign banking organizations, including those with $10 billion or less in consolidated assets.
What it is: This document discusses the supervisory practices that the Federal Reserve may employ when banking organizations and their borrowers and customers are affected by a major disaster or emergency. In general, the provisions of this letter are triggered when the president of the United States makes a major disaster or emergency declaration.
National Credit Union Administration (NCUA) Letter to Credit Unions, Disaster Recovery and Business Resumption Contingency Plans, Letter No.: 01-CU-21
Who it applies to: All federally insured credit unions.
What it is: Provides high-level guidance for credit unions to develop and/or revise their contingency plans, including instruction that credit unions must go beyond their information systems and develop comprehensive contingency plans for all critical resources.
Office of the Comptroller of the Currency (OCC): Interagency Paper On Sound Practices To Strengthen The Resilience Of The U.S. Financial System, OCC Bulletin 2003-14
Who it applies to: Financial firms and market utilities that support critical financial markets.
What it is: Developed by the SEC, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of Currency, this paper identifies four necessary steps financial firms must take for business continuity. For select financial service organizations, the steps outlined in this white paper are mandatory.
17 CFR 275 – Rules and Regulations, Investment Advisers Act Of 1940, Proposed Rule Change
Who it applies to: U.S. securities broker-dealers.
What it is: In June 28, 2016, the SEC proposed a new rule that would require registered investment advisers to adopt and implement written business continuity and transition plans. The proposed rule is designed to ensure that investment advisers have plans in place to address operational and other risks related to a significant disruption in the adviser’s operations to minimize client and investor harm.
Financial Industry Regulatory Authority (FINRA) Rule 4370
Who it applies to: All FINRA members.
What it is: Established by the not-for-profit organization that regulates the broker-dealer industry, this rule requires firms to establish and maintain business continuity plans tailored to their needs and businesses. In addition, the rule specifies the minimum elements that must comprise a business continuity plan. Organizations are required to disclose those plans to customers upon the opening of each new account; plans must also be posted on the firms’ websites. A not-for-profit organization, FINRA is responsible for regulating every broker and brokerage firm doing business with the U.S. public (over 600,000 brokers). Dedicated to investor protection and market integrity, FINRA investigates fraud and insider trading, and levied over $200 million in fines and restitution in 2016.
NYSE Rule 446/NASD 3510/3520 (2004)
Who it applies to: All members and member organizations of the NYSE or NASD.
What it is: This SEC-approved rule requires members to establish and maintain business continuity strategies and plans relating to an emergency or a significant business disruption. It also requires that members’ plans be reasonably designed to meet customer obligations.
Commodity Futures Trading Commission (CFTC) Rule 23.603
Who it applies to: Swap dealers (SDs) and major swap participants (MSPs).
What it is: It requires establishment and maintenance of written business continuity and disaster recovery plans that will allow the SD or MSP to continue or resume operations by the next business day with minimal disruption to its counterparties and the market. It includes the recovery of all documentation and data required to be maintained by law.
Need help complying with these business continuity standards?
Standards compliance is mandatory, but it doesn’t have to be hard.
BCMMetrics™ software tools support business continuity for banks and other financial institutions—including the comprehensive measurement of programs and their alignment with the standards.
Do a self-assessment of your program with our Confidence Compliance (C2) tool, which is automatically updated to align with eight industry standards, including FFIEC. You’ll get a score for your compliance level and an evaluation of areas that need improvement. You can also print out management reports—summary or detailed—that are easy to read and easy to share. If your bank receives a high score within C2, you can be certain your program is compliant.