More than two years after Sept. 11, the financial-services industry is still working to shore up its disaster-contingency planning. Coming on the heels of interagency white papers aimed at, first, core clearing and settlement institutions, and, second, exchanges and electronic communications networks (ECNs), the NASD and NYSE have jumped into implementing business-continuity plans with their own regulations.
Though neither of the regulations has taken effect (both are still inching through the Security and Exchange Commission's approval process), NASD rules 3510 and 3520 and NYSE rule 426 largely cover the same ground. Howard Sprow, director of business-continuity planning with the Securities Industry Association, says that the regulations "are mirror images in intent, but they are written differently, so they are trying to get the language synchronized."
In general, the regulations-which would be enforceable 150 days after the SEC gives its imprimatur-call for all member firms to have a written BCP plan on file that ensures a company can continue meeting its customer obligations following any business-disrupting event. Both regulations also call for such plans to be available to counter parties and the general public, though the level of detail that must be provided is not specified.
Sprow notes that in regulations governing BCP, it's advisable to determine the goal and allow firms to find their own way to the destination. "I think that generally the industry agrees that having such rules in place is appropriate. The issues that come up have to do with the nuts and bolts and the details of how firms are to comply," he says. Sprow notes that the NASD rules have already been through six comment periods during which some contended that the regulations were overly proscriptive. The new regulations also instruct firms to focus on continuing to operate their core systems and updating and testing their plans annually.
Todd Eyler, capital-markets research manager with Financial Insights, says major players in the BCP space include service bureaus like SunGard Phase 3 and ADP, along with network providers such as Radianz and Savvis. Citrix, he says, provides remote-application hosting. "If someone loses a building, they can have their applications backed up on the Citrix network," he says. Eyler says that firms need to determine which applications are crucial to their business and then ensure that they can be recovered in a very short period of time. For example, he says that a firm can continue short-term operations without its payroll systems being fully available, but the same cannot be said of an order-management system, without which a business can come to a halt.
The SIA's Sprow says the industry association has plans to further help firms in 2004. As the continuation of a testing initiative that began in 2003, the SIA will allow firms to conduct connectivity tests from their primary and backup sites to the primary and backup sites of different exchanges. Called Phase 1, the program will continue through June. "Virtually all core firms and most of the other firms would be completed with that by midyear," says Sprow.
Phase 2, which will take place during the second half of 2004, will be a bit more detailed. In this phase, firms will shift small groups of employees to their backup sites to transmit business orders, confirmations, acknowledgements and other bits of trading information. Also, says Sprow, the SIA is looking into "table-top exercises, which are not live tests as in Phase 1 and 2, but will be more like policy forums where firms can get together to compare their procedures and plans against potential scenarios." Those exercises, he says, will take place in the first quarter.