FINRA's Pandemic-Related Business Continuity Planning, Guidance, and Regulatory Relief
The Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 20-08 (“RN 20-08”) on March 9, 2020 reminding firms that they should review their pandemic-related business continuity planning. This review should include assessing whether their business continuity plans (“BCPs”) are flexible enough to address the impact of potential pandemic-related situations to their businesses. FINRA also encourages firms to review their BCPs regarding issues such as pandemic preparedness procedures, staff absenteeism, remote office use or telework arrangements, travel or transportation limitations, and technology interruptions or slowdowns. In addition, FINRA encourages firms to review their emergency contacts to ensure that it can communicate with them, if needed.
FINRA Guidance
FINRA’s RN 20-08 offers suggestions about how to handle the following activities during the current coronavirus (COVID-19) pandemic.
Remote Offices or Telework Arrangements
FINRA indicates that firms may consider implementing remote office and/or telework arrangements for their employees. This would include working from home or at a backup or recovery location. Please note that FINRA expects such firms to establish a reasonable process to supervise the activities of each associated person while they work from an alternative or remote location. FINRA also indicates that scheduled on-site branch office inspections may need to be postponed temporarily because of the pandemic. FINRA understands that firms may need to reevaluate how they will complete their annual inspection obligation in 2020 depending on the length and severity of the pandemic.
Communicating with Customers
FINRA encourages firms to review their BCPs in relation to how they can communicate with customers during the pandemic. Firms should also confirm that customers continue to have access to funds and securities.
RN 20-08 provides a remedy for cases in which registered representatives cannot service their customers. FINRA-regulated firms should consider promptly placing a notice on their websites to let affected customers know who they can contact about trade executions, their accounts, and their access to funds or securities. In addition, FINRA reminds firms to consider implementing supervisory controls to mitigate any potential risks associated with their “reduced ability to communicate with customers, their inability to rely on mail delivery, or other disruptions to their existing controls over communications with customers.”
Regulatory Filings and Responses to FINRA Inquiries, Matters, and Investigations
FINRA reminds firms needing extra time to respond to open inquiries, investigations, or upcoming filings to contact their Risk Monitoring Analysts or the relevant FINRA department regarding extensions. Please also note that FINRA might waive late fees that could be incurred, depending on the member firm’s circumstances.
Qualification Examinations and Regulatory Element Continuing Education
Firms should contact FINRA if any of their associated persons affected by the pandemic have qualification examination or continuing education windows that are due to expire.
Updates for Form U4 and Form BR
FINRA indicates that it is temporarily suspending the requirement to update the Form U4 office with the employment address information for registered persons who have temporarily relocated due to COVID-19. In addition, FINRA does not require firms to submit branch office applications on Form BR for those temporary office locations that are opened, or space-sharing arrangements established as a result of the pandemic.
Cybersecurity Controls
FINRA recognizes that firms are understandably focused on continuing business operations while ensuring the health and safety of individuals. However, firms should still ensure their surveillance against cyber threats also continue. Steps should be taken to reduce the risk of cyber events based on how the firm has decided to operate during the pandemic.
FINRA suggests that such steps may include:
- Ensure virtual private networks (VPNs) and other remote access systems are appropriately patched with available security updates
- Check that system entitlements are up to date
- Employ multi-factor authentication for the firm’s associated persons who access systems remotely
- Remind the firm’s associated persons of potential cyber risks through training and compliance alerts that would promote heightened vigilance
FINRA also issued Information Notice - 3/26/20 on March 26, 2020 providing firms and associated persons with measures to help strengthen cybersecurity controls in the following areas where risks may increase in the current environment:
Measures for Associated Persons
- Office and Home Networks
- Computers and Mobile Devices
- Common Attacks
- Incident Response
Measures for Firms
- Network Security Controls
- Training and Awareness
FAQs
Along with RN 20-08, FINRA issued guidance in the form of Frequently Asked Questions (“FAQs”) that discusses the regulatory relief firms can seek in response to the COVID-19 pandemic. The FAQs include helpful information about the temporary relief from rules and requirements being provided in the following areas:
- Advertising Regulation
- Anti-Money Laundering (AML)
- Best Execution
- Broker-Dealer Registration
- Business Continuity Planning
- Filing Extensions – Annual Reports and FOCUS Reports
- Fingerprint Information
- Individual Registration
- Qualification Examinations
- Rule 4530 Reporting Requirements
- Supervision
When the COVID-19-related risks decrease, FINRA reminds member firms that they should expect to return to meeting any regulatory obligations for which relief has been provided. FINRA also indicated that it would publish additional guidance announcing the termination date for any regulatory relief. This would give firms time to make any necessary operational adjustments.
We Are Here For You
ACA is here to support your firm as you navigate this uncertain time. We offer a range of services designed to help firms address and mitigate the new and emerging risks resulting from the COVID-19 pandemic in order to maintain business operations and withstand the crisis. Our solutions include:
- Third-party risk management
- Surveillance (employee risk management)
- Compliance staffing and support solutions
- Cyber awareness training for staff
Please reach out to your ACA consultant or Dee Stafford if your firm needs support.
ACA COVID-19 Resources
Visit our COVID-19 resources page to access all of ACA’s resources to help your firm manage the new and emerging risks created by the pandemic.