Business Continuity Plans (BCP)
Natural disasters, cyberattacks, pandemics: disruptions happen. FINRA Rule 4370 requires every member firm to have a plan for how it will continue serving customers when things go wrong.
FINRA Rule 4370: Core Requirement
Every FINRA member firm must create and maintain a written Business Continuity Plan (BCP) that identifies procedures for responding to emergencies or significant business disruptions.
The plan must be reasonably designed to enable the firm to meet its existing obligations to customers.
Think of it this way: A BCP is like a fire escape plan for a building. You hope you never need it, but when you do, everyone needs to know exactly where to go and what to do. For a brokerage firm, the priority is making sure customers can still access their money and securities.
What the BCP Must Address
The plan must cover these categories (to the extent applicable to the firm):
- Data backup and recovery: how will the firm restore critical data?
- Alternate communications: how will the firm communicate with customers, employees, and regulators?
- Critical business operations: which operations must continue during disruptions?
- Financial and operational assessments: how will the firm evaluate its financial condition?
- Alternate physical location: where will employees work if the primary office is unavailable?
- Customer access to funds and securities: how will customers get their money and securities?
- Regulatory reporting: how will the firm continue meeting its reporting obligations?
BCP Maintenance and Governance
| Requirement | Details |
|---|---|
| Annual review | Must be reviewed at least once per year |
| Update on material change | Must be updated whenever there is a material change to the firm's operations, structure, business, or location |
| Senior management approval | A member of senior management (who is also a registered principal) must approve the plan and conduct the annual review |
| Customer disclosure | Firm must disclose to customers in writing how the BCP addresses the possibility of a future disruption |
| Emergency contact | An emergency contact person must be designated and registered with FINRA |
Exam Tip: Gotchas
- The BCP is not a "set it and forget it" document. It requires annual review AND updates on material changes. The exam may test whether a firm needs to update its BCP after relocating its office (yes, it does).
- The person who approves the BCP must wear two hats. They must be both a member of senior management AND a registered principal.
Flexibility by Firm Size
The elements of a BCP are flexible and may be tailored to the size and needs of the firm. If a particular category does not apply, the firm does not need to address it, but it must document the rationale for excluding it.
Exam Tip: Gotchas
- Every member firm needs a BCP. There is no exemption for small firms.
- The plan must be disclosed to customers. They need to know how to access their assets if the firm is disrupted.