Intra-agency white paper looks to better define what regulators expect from financial-services institutions when it comes to business-continuity planning.
The Securities and Exchange Commission, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency have jointly released a white paper aimed at guiding the financial-services industry - specifically "core clearing and settlement organizations" - through instituting comprehensive business-continuity plans.
The paper, which was released on Aug. 22 and is asking for comments by Oct. 21, describes core clearing and settlement organizations as "market utilities that provide critical clearing and settlement services for financial markets and large value payment system operators ... for whom there are no viable immediate substitutes."
Another important classification in the paper is "firms that play significant roles in the critical financial markets." These are defined as "those that participate in sufficient volume or value such that their failure to perform critical activities by the end of the business day could present systemic risk."
The paper discusses guidelines for establishing primary and secondary backup-data centers, time frames for instituting BCP measures, and the need for sufficient geographic dispersion of technology and intellectual capital. (To view the paper, see our "Resources" section at www.wallstreetandtech.com/resourceCenters/stp)
"I think (people) should determine where they think their firm fits in the current definitions or if the definitions should be modified. Each firm should bring its expertise and experience into making comments around what would be sensible overall," says Thomas Perna, senior executive vice president of the Bank of New York, a financial institution hit hard by the Sept. 11 attacks because it had four locations in close proximity to the World Trade Center.
Though certainly also aimed at large institutions like BONY - the paper states, "The agencies believe that many if not most of the 15-20 major banks and 5-10 major securities firms ... play at least one significant role in at least one critical market." - it is clearly focused on the Depository Trust and Clearing Corporation, the main institution for clearance and settlement in the United States.
"If you look at the definitions, top-tier industry-infrastructure providers like DTCC would clearly be at the top of the list," says Perna.
The depository, for its part, is getting the white paper's message loud and clear. Don Donahue, managing director, DTCC, says that his organization has been working hard on developing and instituting improved business-continuity plans. "We didn't need the regulators to tell us they were concerned about us," says Donahue.
Donahue says the DTCC has been hard at work shoring up its post Sept. 11 BCP plans. Those plans start with a hot, or synchronous, backup site, which technology limitations dictate falls within about 60 to 80 kilometers of the primary location.
But such two-site BCP paradigms, prevalent in the industry before Sept. 11 when most planned for the loss of one facility due to a single-building fire, are no longer sufficient. The white paper states that now " ... certain core clearing and settlement organizations ... are establishing remote backup facilities, in some cases hundreds or even thousands of miles away from the primary site." Asking for comments, the paper questions if all core organizations should be required to have backup facilities at least 200 to 300 miles from a primary facility.
Obviously, that means that a core institution will have to maintain three sites: a primary facility, a hot backup facility (within 60 to 80 kilometers from the main facility) and a tertiary, warm or cold backup facility (at least 200 to 300 miles from the main facility, for example). That is exactly the BCP blueprint which DTCC is instituting.
DTCC plans to go live with the tertiary facility in the second quarter of 2003, says Donahue. That site will operate in asynchronous fashion, replicating data on a 15 to 30 minute lag behind the main facility. Such a network means that only if both primary and secondary sites are lost simultaneously could, at most, a 15 to 30 minute slice of data be lost.
"If that scenario takes place, losing that slice of data is not what people are going to be talking about," says Donahue.
But even more difficult than dispersing technology and data, says Donahue, is sufficiently dispersing intellectual capital, which, if lost, can affect a firm more than technology failures.
"I have people here who know the DTCC applications. I have people who know how DTCC settlement works, how DTCC corporate-action processing works. These people have an enormous amount of knowledge," he says. "What happens if you lose those people?"
To make sure that doesn't happen in the case of a regional disaster, firms must endeavor to fan out their employee population by transferring key people to remote facilities. But that's easier said than done as many senior employees have little interest in relocating.
Determining the proper paradigm for a firm's BCP strategy, in terms of personnel and technology dispersion, first requires executives to decide exactly how large of a disaster it makes sense to plan for. Questions arise: How much is enough?
Don Kittell, executive vice president, Securities Industry Association, says that coming up with one, industry-wide definition for "enough" when it comes to BCP is going to be very difficult. "I think it's fair to say that there is some degree of controversy within the industry or difference of opinion on how much geography is necessary ... . If you envision entire hundred-square-mile areas being subject to vulnerability ... you come up with certain responses. If you don't agree that that is a highly likely scenario then you don't invest the money to defend against it."
When you're the DTCC, the main clearance and settlement organization in the world's largest market, the answer is that it's never enough. "Our view is that you have to wear a belt and suspenders. Our board's view is that, given who we are, we better wear both and glue our pants on because we can't go down," says Donahue.
It is unclear exactly what will come out of the comment period in terms of whether or not any formal guidelines will be issued by, for example, the SEC. However, according to remarks made by Roger Ferguson, Jr., vice chairman of the Board of Governors of the Federal Reserve System, the industry will largely be left to its own devices when enacting BCP plans. He says, " ... we are stopping short of imposing detailed regulatory standards. ... I feel strongly that any such guidance should resist taking an overly prescriptive approach."
Rob Hegarty, director of the Investment Management Practice, TowerGroup, says that executives will be well served to carefully read the white paper, decide which category their firm falls into, and determine if they have the appropriate BCP plans either in place or in the works. "Firms have to do an assessment to see what guidelines they meet and don't meet," he says.
A Lesson Learned: BONY Fans Out
On Sept. 11 2001, BONY had four locations within the shadows of the World Trade Center. In the days after the attack, facilities at 1 Wall St., 101 Barclay St., 21 Old Slip and 100 Church St. were either heavily damaged or inaccessible.
Determined to gain greater geographic dispersion, BONY has worked with IBM and Ernst and Young to formulate an "endgame" for its data-center-configuration strategy, says Thomas Perna, senior executive vice president, BONY. In the past year, the bank has established a data center in Sterling Forest, N.Y. to replace the 101 Barclay St. facility, "hardened" its Maywood, N.J. facility used for the clearing of government securities by installing additional technology, and acquired a facility in Brooklyn to further spread out its employees.
Additionally, much like DTCC, and perhaps mimicking a trend that will serve as the new paradigm for data-center configuration, BONY will operate two backup-data centers, one, closer to the main facility in synchronous mode and another, asynchronous facility located "quite a bit aways," says Perna.