Business Continuity Plans

The business-continuity-plan requirement is the disruption-response rule. Hurricanes, terrorist events, pandemic shutdowns, and cyberattacks have all activated this requirement in real time. The exam asks two questions consistently: which 10 elements must the BCP address, and what are the ECP rules.

The 10 Required BCP Elements

Each member must create and maintain a written BCP identifying procedures for an emergency or Significant Business Disruption (SBD) that are reasonably designed to enable the member to meet existing obligations to customers. At minimum, the BCP must address:

• Data backup and recovery (hard copy and electronic)
• All mission-critical systems
• Financial and operational assessments
• Alternate communications between customers and the member
• Alternate communications between the member and its employees
• Alternate physical location of employees
• Critical business constituent, bank, and counter-party impact
• Regulatory reporting
• Communications with regulators
• How the member will assure customers' prompt access to their funds and securities if the member is unable to continue its business

Think of it this way: The 10 elements track a customer through a disruption. First the firm preserves data; then it keeps mission-critical systems running; then it tells customers and employees how to communicate; then it relocates people; then it deals with banks and regulators. The whole chain ends with the customer-protection backstop: customers get their money and securities back even if the firm cannot operate.

Exam Tip: Gotchas

• A BCP that does not address customers' prompt access to funds and securities is presumptively non-compliant. Prompt access is specifically enumerated, not optional. The exam will sometimes describe a thorough BCP that lists alternate locations and data backup but omits customer-funds access; the answer is the BCP fails the business-continuity-plan requirement.
• The BCP must be in writing. A firm that has clear oral protocols and a strong informal culture has not satisfied the business-continuity-plan requirement. The written-document requirement is structural.

Approval and Annual Review

A member of senior management who is also a registered principal must:

• Approve the plan
• Conduct the required annual review to determine whether modifications are necessary in light of changes to operations, structure, business, or location

The plan must also be:

• Disclosed to customers at account opening
• Posted on the member's website (if any)
• Mailed upon request

Exam Tip: Gotchas

• The BCP approver must be both senior management AND a registered principal. A senior officer who is not registered as a principal cannot approve the plan. A registered principal who is not in senior management cannot approve it either. Both conditions must be met.
• Customers must be told about the BCP at account opening. A firm that maintains a perfect BCP but never discloses it to new customers violates the disclosure requirement, even if the BCP itself is fine.

Emergency Contact Persons

Each member must report to FINRA prescribed emergency contact information for the firm. The member must designate two associated persons as Emergency Contact Persons (ECPs):

Members register and update ECPs through the FINRA Contact System (FCS). Updates are required promptly upon any material change.

Exam Tip: Gotchas

• Both ECPs must be in senior management. The second can be a non-principal, but only if they have knowledge of business operations. A junior compliance assistant cannot be the second ECP, even if they are reachable in an emergency.
• The first ECP must be a registered principal. This is the structural duty that links the BCP rule back to the supervisory framework: someone in the principal supervision chain must be FINRA's first call.
• Updates to ECPs are filed through FCS, not Form U4. The exam sometimes pairs ECP filings with Form U4 amendments to test whether candidates know which system applies.

What Counts as a Significant Business Disruption

A Significant Business Disruption (SBD) is any event that disrupts the firm's ability to operate normally. SBDs scale from local (a power outage at one branch) to wide-scale (a region-wide disruption affecting multiple firms and infrastructure).

The BCP must distinguish between:

• Internal SBDs (firm-specific): one office, one system, one data center
• External SBDs (industry-wide or regional): natural disaster, market-wide outage, terrorist event

The plan addresses both because the recovery resources differ. An internal SBD typically uses backup sites within the firm; an external SBD requires coordination with other firms, exchanges, and regulators.

Customer Communications During an SBD

The BCP must explain how customers will reach the firm if the primary communication channels fail. Acceptable approaches include:

• An alternate phone number that activates during an SBD
• A backup website hosted in a different region
• A relationship with a clearing firm or other counterparty that can field customer calls
• A toll-free number that customers can call to learn the firm's recovery status

The disclosure to customers at account opening must summarize how customers can reach the firm during an SBD. The BCP itself need not be handed to customers, but the summary must be sufficient for a customer to take action.

Exam Tip: Gotchas

• The customer-facing BCP disclosure summarizes the plan; it is not the plan itself. Some firms confuse the disclosure obligation with a duty to provide the entire BCP to customers. The disclosure must give customers what they need to reach the firm in an emergency, not the full text of the document.