FINRA Files Rule with SEC for Authority to Designate Firms for Mandatory Participation in FINRA's Business Continuity/Disaster Recovery Testing, As Required by Regulation SCI
BC/DR Testing Under Regulation SCI
Regulatory Notice | |
Notice Type New Rule |
Referenced Rules & Notices FINRA Rule 4380 Rule 1000 of SEC Regulation SCI Rule 1001 of SEC Regulation SCI Rule 1004 of SEC Regulation SCI |
Suggested Routing Compliance Legal Operations Systems Trading Training Risk Management Committee |
Key Topics Business Continuity Disaster Recovery Planning Regulation SCI |
Executive Summary
As required by Regulation Systems Compliance and Integrity (Regulation SCI), FINRA has adopted new Rule 4380 related to mandatory member firm participation in business continuity and disaster recovery (BC/DR) testing.1 The new rule authorizes FINRA to designate firms that must participate in FINRA's BC/DR testing under Regulation SCI, which will be conducted once per year. Under Rule 4380, FINRA will designate member firms for mandatory BC/DR testing participation based on established standards, which this Notice describes in detail.
Questions regarding this Notice should be directed to:
Background and Discussion
Regulation SCI was adopted by the SEC on November 19, 2014, and the general compliance date is November 3, 2015.2
Regulation SCI requires that FINRA, as an SCI entity, establish, maintain, and enforce written policies and procedures that address, among other things, "[b]usiness continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse...."3 In addition, Regulation SCI contains a separate, corresponding requirement that each SCI entity, including FINRA, designate firms that must participate in the testing of the entity's BC/DR plans.4
The SEC noted when it adopted Regulation SCI that these mandatory backup plan testing requirements are meant to reduce the risks associated with backup plan activation and to ensure that such plans operate as intended, if activated.5 The SEC pointed specifically to situations like Superstorm Sandy, which caused the securities markets to close for two days in part based on the belief of some exchanges that some market participants could or would not be able to operate adequately from the backup facilities of all market centers.6
As a result, Regulation SCI requires SCI entities, including FINRA, to do three things in conjunction with testing their BC/DR plans:
FINRA believes, based on preliminary discussions among SCI entities, that the yearly BC/DR testing contemplated by Regulation SCI would likely take the place of the current industry test facilitated by the Securities Industry and Financial Markets Association (SIFMA) each October. This would be consistent with guidance the SEC provided in Regulation SCI, when it noted that the existing SIFMA test could provide a foundation for the regulation's mandatory testing requirements.
Established Standards to Designate Members for Mandatory BC/DR Testing
Under FINRA Rule 4380, FINRA will designate member firms according to established criteria that are designed to ensure participation by those firms that FINRA reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plan. FINRA noted when it filed Rule 4380 that its designation criteria will consider volume of activity on a FINRA market system over a specified period of time.
Based on a study of the member-facing systems that FINRA believes would be subject to Rule 4380—the equity trade reporting facilities (the FINRA/NYSE TRF, the FINRA/Nasdaq TRF and ORF), equity order audit trail system (OATS), equity quotation display and trade reporting facility (ADF), unlisted equity quotation display facility (OTCBB), and fixed income trade reporting system (TRACE)—FINRA has established the following criteria for member firm designation, which reflect the different types or levels of activity generally found on each system.
In general, if the 5 percent threshold were to be applied today, it would result in roughly five to nine firms designated per system, generally representing at least 50 percent of the activity on each system. FINRA notes, however, that if designation according to the 5 percent threshold would not result in a representation of at least 50 percent of the activity on a given system for a future testing cycle, then the top most active participants that together represent the minimum cumulative activity level would be designated despite the fact that their individual activity levels may be below the 5 percent threshold.
Designation would occur according to these established criteria at least 90 days prior to the scheduled testing date. To safeguard potentially sensitive information concerning member firms' trading activity, FINRA will notify firms that meet the designation criteria on an individual basis, rather than through public notice. FINRA will continue to study the characteristics of each system on an ongoing basis, both between now and the first designation, and in future designation/testing cycles. Should FINRA determine at any time that adjustments to these established criteria are necessary to improve its BC/DR testing process, it will publish a Regulatory Notice prior to the change.
Results of Designation and Voluntary Test Participation
Rule 4380(c) states the obligations of member firms that are designated for mandatory participation in FINRA's BC/DR testing according to the standards specified above. Specifically, designated firms would be required to fulfill, within the time frames established by FINRA, certain testing requirements that FINRA determines are necessary and appropriate. These requirements could include, for example, bringing up their systems on the designated testing day and processing test scripts to simulate trading activity. Designated firms may also be required to satisfy related reporting requirements, for example, reporting the firm's testing results, so that FINRA may evaluate the efficacy of the test and, correspondingly, its BC/DR plan.11
FINRA recognizes that there may be additional market participants that wish to participate on a voluntary basis in FINRA's annual BC/DR test beyond those that are designated under Rule 4380. For example, certain system participants may wish to test their backup capabilities even if they do not exceed the system's threshold cutoff. Additionally, third-party service providers, like service bureaus that transmit information to FINRA systems on behalf of FINRA member firms, may also wish to ensure their ability to function in FINRA's backup environment, even though the service providers may not be subject to Rule 4380. FINRA encourages any such market participant to contact FINRA Product Management at (866) 899-2107 or Market Operations at (866) 776-0800 to consider arrangements to take part in FINRA's testing.
1.See File No. SR-FINRA-2015-046 (filed with the SEC on October 30, 2015).
2.See Securities Exchange Act Release No. 73639 (November 19, 2014), 79 FR 72252 (December 5, 2014) ("SCI Adopting Release").
3. Rule 1001(a)(2)(v) of SEC Regulation SCI.
4. Rule 1004 of SEC Regulation SCI.
5.See SCI Adopting Release, 79 FR at 72348.
6.See id., 79 FR at 72348.
7. The SEC explained that "functional and performance testing" requires more than simple connectivity or validation testing. According to the SEC, it also requires testing of an SC entity's systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by business continuity and disaster recovery plans. But, it does not require comprehensive simulation of the same levels of liquidity, depth, volatility, and other characteristics of trading on a normal trading day. See SCI Adopting Release, 79 FR at 72353.
8. Rule 1004 of SEC Regulation SCI.
9. Based on FINRA's analysis of recent activity on each of the specified systems, FINRA intends to calculate participant activity at the Member Participant Identifier (MPID) level and designate the parent firm of any MPID that meets or exceeds a stated threshold. If FINRA encounters a situation where a parent firm represents significant volume on a system through multiple MPIDs—none of which individually meet or exceed the system's stated threshold—FINRA may in its discretion designate the member based on its overall activity on the system.
10. The terms agency debt security and securitized product are defined in Rule 6710.
11. As it noted when it filed Rule 4380, FINRA anticipates that compliance with the rule would be enforced consistent with existing FINRA rules and practice, and that a designated firm's failure to participate in mandatory testing could result in possible sanctions, including fines, under FINRA Rule 8310.