A Guide to the FINRA 4370 Rule
It’s not often that regulators and their member firms are in harmony about the need and effectiveness of a rule. In fact, most new rules lead to complaints about disruptions to growth, unfair disadvantages for smaller firms and unnecessary or irrelevant requirements. But FINRA’s 4370 might be the exception.
Written by a human
“The majority of stakeholders indicated that Rule 4370 works well and expressed the view that the rule’s flexible, non-prescriptive, and risk-based approach has been effective in ensuring firms of all sizes are prepared for potential business disruptions.”
That was stated in FINRA’s review of the emergency preparedness rule, and serves as an insight into the industry reaction to the regulation. Today, find out more about the exact requirements of the rule, some of its challenges and a recent violation. Plus, learn how to satisfy FINRA 4370 to prevent the impacts of non-compliance.
What is FINRA rule 4370?
FINRA’s 4370 is a business continuity planning regulation aimed at broker dealers. It exists so that a member firm will have a plan during times of emergency and can continue to provide customers access to their funds, even under stress.
Here is a summary of the 4370 rule:
- Create and maintain a plan for significant business disruption
- Annually review and update those plans
- Satisfy (at minimum) ten elements included in the plan – see more below
- Ensure that a designated senior manager approves the plans
- Disclose expected changes to customers when a significant event occurs
- Report emergency contact information to FINRA, the regulator
Here are the ten elements of succession planning that each compliance strategy should include:
| Element | Details |
| Data back-up and recovery | Ensure that both local hard-drives and cloud-based storage are set to automated backups so that information cannot be lost, ensure these backups are readily accessible |
| Mission-critical systems | Any system that’s necessary to ensure prompt and accurate processing of securities transactions |
| Financial and operational assessments | Set of written procedures that enable members to identify changes in it’s risk exposure levels |
| Alternate communications between member and its customers | If the primary communication method becomes impacted (say, emails are hacked and therefore compromised), ensure there is another viable option to reach all customers |
| Alternate communications between members and its employees | If the primary communication method becomes impacted (say, emails are hacked and therefore compromised), ensure there is another viable option to reach all employees |
| Alternate physical location of employees | Members must not disclose such location to their customers, but ensure that customers are aware of its existence so that services can continue |
| Critical business third party impact | Risk assess vendors and provide response plans if their businesses are disrupted, leading to knock-on effects for member |
| Regulatory reporting | Create a plan for regulatory reporting even while primary systems are down, including detecting, monitoring and responding to further incidents |
| Communications with regulators | If the primary communication method becomes impacted (say, emails are hacked and therefore compromised), ensure there is another viable option to reach the regulators |
| Plan to provide access to funds during a critical incident | Ensure that customers will have prompt and easy access to their accounts even when critical systems are down (develop work around systems) |
When an emergency does occur, firms must decide if they want to stay in business, or shut down their operations to deal with it. Even if they opt for the latter, FINRA mandates that they must continue to provide customers access to their funds promptly and easily, as per the last element in the table above.
Regulators have hit home about the importance of this point in particular, since it’s the biggest priority for broker-dealer firms, who’s operations could impact the integrity of the entire market. It’s why we’ve seen similar regulations to address this exact issue in other jurisdictions around the globe, such as DORA in the UK and EU.
Common challenges with 4370 and how to overcome them
In 2019, rule 4370 was reviewed by FINRA to assess the effectiveness of the regulation, and whether any updates were required. It was also reviewed again at the end of 2020 to determine how well the requirements were working, even in the face of the pandemic.
In both cases, FINRA ruled that rule 4370 could be upheld, and was therefore working as desired.
“Stakeholders conveyed their appreciation for the rule’s straightforward approach and expressed a preference for maintaining the current flexible approach. Commenters generally indicated that the rule worked well and expressed the view that the rule provided member firms with the necessary flexibility to successfully execute their BCPs and respond to the pandemic.”
However, the regulator did point out that there were several common challenges in operational efficiency that financial services firms seemed to be struggling with. This FINRA data included:
- Incomplete mission critical systems: certain systems were missed across the board, especially cybersecurity software to help manage the trading desk or vendor systems
- Insufficient capacity: member firms were not equipped to deal with a higher number of customer support enquiries when an incident occurred
- Failure to update operational changes: firms didn’t re-submit their plan changes to FINRA as they began using new technologies and programs
- Outdated contact information: emergency contact details were not updated as employees entered and left the broker-dealer firm, making them unreachable when incidents occurred
- Inaccessible document storage: critical documents were not readily available when primary systems went down, leading to potential service disruptions and security issues
FINRA recommends that firms overcome these challenges by considering the legislation as a whole, using assessments and training.
By performing annual assessments, FINRA member firms can stress-test their systems under various conditions and identify their vulnerabilities. Then, they have the insights to successfully plug those gaps, ensuring their operational resilience for all scenarios (both planned and unplanned).
Moreover, regular training will keep these response plans at the front of the mind for staff. They’ll become mindful of suspicious or anomalous encounters, and react quickly according to regular training drills.
4370 violation example: Robinhood
Robinhood is a well-known fintech firm that offers self-directed trading. During the 2010s, the platform experienced several outages on both its website and mobile application. This prevented customers from making their trades, accessing funds and making potential profits.
The most serious of these outages occurred on March 2nd and 3rd 2020, and it led to FINRA conducting an investigation into Robinhood.
Investigators found violations of many rules, including FINRA 3110, 2010, and of course, 4370.
Pertaining to rule 4370, FINRA found that Robinhood did not have a business continuity plan that contained effective practices, or was reasonably designed to meet customer obligations.
For example, the trading platform claimed that if their digital systems went down, they would take orders through “other methods”, but didn’t specify any. Moreover, they claimed that they could contact clients by phone, even though they did not have access to a telephone line.
The business continuity plan also limited potential operational obstructions to just physical examples, such as employees not being able to attend the office. The firm failed to consider technological obstructions, such as third party outages.
Finally, Robinhood’s plan was based on a FINRA template that wasn’t wholly applicable to the firm’s operations. It wasn’t totally relevant to the member’s systems or processes, for example in referencing back-up methods that the firm didn’t have access to.
These rule 4370 violations, in combination with other negligence, caused FINRA to issue a regulatory notice and fine Robinhood $57 million. They were also ordered to pay back over $12 million in customer reparations, given a censure and instructed to hire outside counsel to overhaul their business continuity plan.
Compliance with broker-dealer rules
For broker dealers, there are a whole host of FINRA rules to comply with. From FINRA’s 3110 requirements to business continuity plans, non-compliance with these rules could impact the integrity of the entire market.
And, unlike some regulatory technology organizations, we at Global Relay know that the challenges of compliance only grow as your company does. In fact, by the time Robinhood was investigated, the firm was generating $1.4 billion in revenue!
FINRA’s feedback from stakeholders is that the “current guidance and administrative processes are efficient and effective”. The rule isn’t changing any time soon – so the importance of compliance only grows. Diverting resources from growth to compliance is a tough decision, but it’s a strategic one. But Global Relay provides compliance solutions to help you reap the rewards from that strategic decision. Book a demo to learn more.