Mapping Out BCP Guidelines
After receiving tremendous push back from the financial-services industry, the Securities and Exchange Commission, the Federal Reserve System and the Office of the Comptroller of the Currency recently announced that jointly proposed BCP guidelines released in August would be largely declawed when they take their final form.
The guidelines, which are described in a revised white paper entitled "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," specifically address clearing utilities and "other firms playing significant roles in the critical financial markets." These are defined as firms that consistently clear or settle at least 5 percent of the value of transactions in that market.
NO THE DISTANCE
The industry was up in arms when the first draft of the white paper was released. The majority of firms expressly disagreed when the agencies asked whether a distance specification should be included, suggesting 200-300 miles between a primary and backup site.
"The industry pushed back so hard on this," notes Joe Anastasio, a partner with Capco, when asked why he thought the agencies didn't enforce stricter distance guidelines. "How can the regulators dictate distance or geographic separation? In every business and for every provider's circumstances, it could be different," he says.
Industry experts agree that BCP planning and, particularly, distance needs aren't a one-size-fits-all proposition. For example, a firm with a global footprint may have built-in backup by the nature of its business and may not need to be told how far its backup site should be from its primary site.
Cantor Fitzgerald, which has a global operating model and was highly impacted by Sept. 11, is a good example. "The fact that Cantor was able to do business a few days later out of their London office is an example of built-in continuity that is part of their business model by default," says Anastasio. In a case like this, a global firm could have its backup site less than 300 miles away from its primary site, but having an operation in London protects it from a wide-scale disaster.
An industry executive from a large brokerage firm, who requested anonymity, had another perspective on the absence of the distance requirement.
"Why did they change their mind? It ranged from everything from economic conditions in the city of New York to political pushback they got going as far as the White House," he says. "They were concerned that this 200-300 mile separation would be damning to many municipalities, not the least of which would be the city of New York."
Budgetary restraints were also a factor. The amount of money that would have been necessary to meet such restrictions would have been too large, considering all the budgetary pressures the financial industry is currently facing.
Timing was crucial as well, as some say the agencies' guidelines were simply a day late and a dollar short. "What you have to understand is these papers didn't come out until over a year after 9/11. A number of firms had moved very quickly to initiate funding of new locations of centers. Now, the agencies come out and say, you have to be X number of miles away from your primary site? Suddenly firms are caught in the middle. They've already spent a lot of money," notes one source.
At this point, these firms couldn't possibly pull out of their commitments and move further away, some say. For example, Morgan Stanley secured a new secondary site in Westchester, N.Y., long before the guidelines were released. This site would not have met the 200-300 mile requirement if it had been instituted. However, Greg Ferris, executive director and head of business-continuity planning for Institutional Securities at Morgan Stanley, says his firm has a tertiary site under development in Baltimore, so it wasn't concerned about a potential distance requirement. However, others in the industry would not have fared as well.
An SEC official, who also requested anonymity, says the commission never said it was going to institute such a distance requirement. "We don't think we ever suggested 300 miles, we thought we asked the question of the industry - asking if they wanted specific mileage. They said they didn't and we agreed."
He continued to say, "What the paper says is that the industry has to be prepared to handle a situation where the entire region is inaccessible."
The recent paper may not reveal a specific distance, but if the major clearing utilities have to be up and running in two hours - which the guidelines state - then maintaining a sufficient distance from the primary site is an implied requirement.
Morgan Stanley's Ferris agrees. "I think the spirit of what they were trying to say in the first version was very much alive. I still sense the concept of more real-time diversification, giving more thought to strategically placing not only technology and real estate, but also people." In addition, he notes that although they shied away from any specific mileage statement, regulators are still talking about separation of primary and secondary facilities.
TIME FOR RECOVERY
Despite backing down on the distance requirement, the agencies held firm on another important requirement: time for recovery.
The paper notes that "core clearing and settlement organizations should develop the capacity to recover and resume clearing and settlement within the business day on which the disruption occurs - with the overall goal to achieve recovery and resumption within two hours after an event."
In the past, that may have meant that having a primary site in downtown Manhattan and a backup site in Jersey City, N.J. - just five miles away, but across a river and on a different power grid - would be fine. However, today the environment and potential threats are very different from the past.
"There could be a nuclear event that takes out five square miles of airspace through contamination. If your primary site is in lower Manhattan and the other is in Jersey City, that might not be good enough," notes Anastasio. "In the past, we weren't worried about terrorist acts of that nature, we were defending against electrical outages, flood, fire, making sure you have a different power grid."
As a result, time for recovery equals distance. There would be no way to recover in a scenario such as the one Anastasio describes in two hours, which means although no distance requirement was specified, it is implied.
The Depository Trust Company Corp. will have to think about all of these issues, as it is the industry's major utility involved in clearing and settling trades.
A spokesman for the utility says that since Sept. 11, the DTCC has been forced to "redouble efforts and rethink its plans," while at the same time noting that the DTCC continued to settle $280 billion in trading activity on Sept. 11.
He says the DTCC has been communicating with regulators since Sept. 11 and, because of these discussions, the utility is already close to meeting the requirements in the white paper. The representative would not say where the DTCC's backup sites were located due to security reasons.
Although the DTCC spokesman would not provide many details about the utility's plans, Anastasio was able to provide some color. "The DTCC is going to go full hog. They will have well-thought-out resilience ... I think they will go the full nine yards and have robust capabilities, sites that are far apart, including people, technology and recovery capabilities. I expect nothing less from them." Other clearing market-share leaders such as Bear Stearns, the Bank of New York/Pershing and Merrill Lynch are expected to do the same.
What the paper does say about distance is that "core clearing and settlement organizations should establish backup facilities a significant distance away from their primary sites."
However, experts agree, that expecting firms to put their backup facilities "a significant distance" from primary sites, without setting specific requirements, makes BCP tough to enforce.
The paper also says that organizations that use synchronous backup "should establish even more distant backup arrangements that can recover and resume critical operations within the business day on which disruption occurs."
In other words if a firm does use synchronous back up, and most firms do, it will need more distance between sites. That is leading the industry to believe firms that have a synchronous data model may need to add a tertiary, asynchronous data model over a greater distance. Why? Because in order for synchronous backup to work, the two sites cannot be more than approximately 100 kilometers or 62 miles from each other. Ferris has asked the agencies for clarification on this point.
Sources say, if this is the case, only the largest firms will be able to afford to invest in and maintain a primary location and two backup sites.
Morgan Stanley's Ferris explains that synchronous backup is a "trade off of real-time replication and distance." He explains that the real-time replication used in synchronous backup allows a firm to copy data instantly. In other words, if data center A fails, data center B picks the information processing up without missing a beat. Asynchronous means firms can copy much less immediately, but over greater distances.
One industry segment noticeably absent from the paper were the exchanges. A recent Government Accounting Office Document criticizes the agencies' decision not to include exchanges in its guidelines. "The GAO suggested that the guidelines should reach beyond infrastructure and go to trading," notes the SEC official, declining to discuss the report further. A copy of the report could not be located by GAO officials by press time. As far as whether or not the agencies will release a second set of guidelines for trading, the SEC representative says the agencies are "undecided at this point."
The absence of trading guidelines is one thing, but the absence of guidelines for the exchanges, which are critical to the livelihood of markets, is of greater concern to many in the industry.
"With all the thought given to the clearing firms, what about the exchanges? How is that not the same kind of risk and why aren't we equally concerned about the distance of the contingency sites for the exchanges, and also about the welfare and resilience of the people that staff it?" asks Anastasio.
Equally important is a backup plan for specialists and floor traders on the New York Stock Exchange, whose survival is dependent on its people.
The SEC official says, "Well, the exchanges believe they're critical, but the assumption is that the Nasdaq will pick up what the NYSE can't handle." He continues to say that, "It won't necessarily be easy, but Nasdaq has dealers who could perform a function similar to a specialist." He added that the Nasdaq and the NYSE were working on a plan, but declined to comment further.
JUST THE BEGINNING
The guidelines, to many, are considered a good starting point. "Over the next few years, there will be new proposals. This was just the first meant to ease the industry into a more conscious effort," notes Michael Haney, senior analyst, Celent Communications. "This is never going to be a static document. The regulators will come back every couple of years. We're always learning new techniques, and technology (will improve). The goal is to get the industry to talk, create an environment of sound practices and encourage dialogue."
Haney believes we will see some firmer deadlines in the future. "This first paper raised a lot of questions and caused a bit of confusion, but that's not necessarily a bad thing. The same way Sept. 11 was a trigger, this can be too. It can help take us to the level of where we need to be."
Regulators Respond to 9/11
RECOVERY TIME 1. Core clearing and settlement organizations should develop the capacity to recover and resume clearing and settlement within the business day on which the disruption occurs. The overall goal is to achieve recovery and resumption within two hours after an event.
2. In addition, firms that play significant roles in the other critical financial markets should strive to achieve a four-hour recovery-time capability for clearing and settlment acitivites in order to ensure that they will be able to meet the business-day recovery target.
3. Core clearing and settlement organizations should develop plans for communicating with participants during a disruption to facilitate their rapid recovery.
DISTANCE 1. Recovery within target time during a wide-scale disruption generally requires an appropriate level of geographic diversity between primary and back-up sites for back-office operations and data centers.
2. The agencies do not believe it is necessary or appropriate to prescribe specific mileage requirements for geographically dispersed back-up sites. Backup sites should be as far away as necessary.
3. Back up sites should not rely on the same infrastructurecomponents as primary location, including transportation, telecommunications, water supply and electric power.
STAFF 1. Sites should not be impaired by a wide-scale evacuation or the inaccessibility of staff that service the primary site.
2. It is critical for the firm to determine how staffing needs at the back-up site would be met if a disruption results in loss or inaccessibility of staff at the primary site.
Testing 1. The effectiveness of the back-up plans should be confirmed by testing.