White Compliance Hub Rules and Regulations text on black background

A Guide to the FINRA 4370 Rule

It’s not often that regulators and their member firms are in harmony about the need and effectiveness of a rule. In fact, most new rules lead to complaints about disruptions to growth, unfair disadvantages for smaller firms and unnecessary or irrelevant requirements. But FINRA’s 4370 might be the exception.

17 June 2024 8 mins read
By Jennie Clarke

The majority of stakeholders indicated that Rule 4370 works well and expressed the view that the rule’s flexible, non-prescriptive, and risk-based approach has been effective in ensuring firms of all sizes are prepared for potential business disruptions.” 

That was stated in FINRA’s review of the emergency preparedness rule, and serves as an insight into the industry reaction to the regulation. Today, find out more about the exact requirements of the rule, some of its challenges and a recent violation. Plus, learn how to satisfy FINRA 4370 to prevent the impacts of non-compliance.

What is FINRA rule 4370?

FINRA’s 4370 is a business continuity planning regulation aimed at broker dealers. It exists so that a member firm will have a plan during times of emergency and can continue to provide customers access to their funds, even under stress.

Here is a summary of the 4370 rule:

  1. Create and maintain a plan for significant business disruption
  2. Annually review and update those plans
  3. Satisfy (at minimum) ten elements included in the plan – see more below
  4. Ensure that a designated senior manager approves the plans
  5. Disclose expected changes to customers when a significant event occurs
  6. Report emergency contact information to FINRA, the regulator

 Here are the ten elements of succession planning that each compliance strategy should include:

Data back-up and recoveryEnsure that both local hard-drives and cloud-based storage are set to automated backups so that information cannot be lost, ensure these backups are readily accessible
Mission-critical systemsAny system that’s necessary to ensure prompt and accurate processing of securities transactions
Financial and operational assessmentsSet of written procedures that enable members to identify changes in it’s risk exposure levels
Alternate communications between member and its customersIf the primary communication method becomes impacted (say, emails are hacked and therefore compromised), ensure there is another viable option to reach all customers
Alternate communications between members and its employeesIf the primary communication method becomes impacted (say, emails are hacked and therefore compromised), ensure there is another viable option to reach all employees
Alternate physical location of employeesMembers must not disclose such location to their customers, but ensure that customers are aware of its existence so that services can continue
Critical business third party impactRisk assess vendors and provide response plans if their businesses are disrupted, leading to knock-on effects for member
Regulatory reportingCreate a plan for regulatory reporting even while primary systems are down, including detecting, monitoring and responding to further incidents
Communications with regulatorsIf the primary communication method becomes impacted (say, emails are hacked and therefore compromised), ensure there is another viable option to reach the regulators
Plan to provide access to funds during a critical incidentEnsure that customers will have prompt and easy access to their accounts even when critical systems are down (develop work around systems)

When an emergency does occur, firms must decide if they want to stay in business, or shut down their operations to deal with it. Even if they opt for the latter, FINRA mandates that they must continue to provide customers access to their funds promptly and easily, as per the last element in the table above.

Regulators have hit home about the importance of this point in particular, since it’s the biggest priority for broker-dealer firms, who’s operations could impact the integrity of the entire market. It’s why we’ve seen similar regulations to address this exact issue in other jurisdictions around the globe, such as DORA in the UK and EU. 

Common challenges with 4370 and how to overcome them

In 2019, rule 4370 was reviewed by FINRA to assess the effectiveness of the regulation, and whether any updates were required. It was also reviewed again at the end of 2020 to determine how well the requirements were working, even in the face of the pandemic. 

In both cases, FINRA ruled that rule 4370 could be upheld, and was therefore working as desired.

“Stakeholders conveyed their appreciation for the rule’s straightforward approach and expressed a preference for maintaining the current flexible approach. Commenters generally indicated that the rule worked well and expressed the view that the rule provided member firms with the necessary flexibility to successfully execute their BCPs and respond to the pandemic.”

However, the regulator did point out that there were several common challenges in operational efficiency that financial services firms seemed to be struggling with. This FINRA data included:

  1. Incomplete mission critical systems: certain systems were missed across the board, especially cybersecurity software to help manage the trading desk or vendor systems
  2. Insufficient capacity: member firms were not equipped to deal with a higher number of customer support enquiries when an incident occurred
  3. Failure to update operational changes: firms didn’t re-submit their plan changes to FINRA as they began using new technologies and programs
  4. Outdated contact information: emergency contact details were not updated as employees entered and left the broker-dealer firm, making them unreachable when incidents occurred
  5. Inaccessible document storage: critical documents were not readily available when primary systems went down, leading to potential service disruptions and security issues 

FINRA recommends that firms overcome these challenges by considering the legislation as a whole, using assessments and training. 

By performing annual assessments, FINRA member firms can stress-test their systems under various conditions and identify their vulnerabilities. Then, they have the insights to successfully plug those gaps, ensuring their operational resilience for all scenarios (both planned and unplanned). 

Moreover, regular training will keep these response plans at the front of the mind for staff. They’ll become mindful of suspicious or anomalous encounters, and react quickly according to regular training drills.  

4370 violation example: Robinhood

Robinhood is a well-known fintech firm that offers self-directed trading. During the 2010s, the platform experienced several outages on both its website and mobile application. This prevented customers from making their trades, accessing funds and making potential profits. 

The most serious of these outages occurred on March 2nd and 3rd 2020, and it led to FINRA conducting an investigation into Robinhood.

Investigators found violations of many rules, including FINRA 3110, 2010, and of course, 4370. 

Pertaining to rule 4370, FINRA found that Robinhood did not have a business continuity plan that contained effective practices, or was reasonably designed to meet customer obligations.

For example, the trading platform claimed that if their digital systems went down, they would take orders through “other methods”, but didn’t specify any. Moreover, they claimed that they could contact clients by phone, even though they did not have access to a telephone line.   

The business continuity plan also limited potential operational obstructions to just physical examples, such as employees not being able to attend the office. The firm failed to consider technological obstructions, such as third party outages. 

Finally, Robinhood’s plan was based on a FINRA template that wasn’t wholly applicable to the firm’s operations. It wasn’t totally relevant to the member’s systems or processes, for example in referencing back-up methods that the firm didn’t have access to.

These rule 4370 violations, in combination with other negligence, caused FINRA to issue a regulatory notice and fine Robinhood $57 million. They were also ordered to pay back over $12 million in customer reparations, given a censure and instructed to hire outside counsel to overhaul their business continuity plan. 

Compliance with broker-dealer rules

For broker dealers, there are a whole host of FINRA rules to comply with. From FINRA’s 3110 requirements to business continuity plans, non-compliance with these rules could impact the integrity of the entire market. 

And, unlike some regulatory technology organizations, we at Global Relay know that the challenges of compliance only grow as your company does. In fact, by the time Robinhood was investigated, the firm was generating $1.4 billion in revenue! 

FINRA’s feedback from stakeholders is that the “current guidance and administrative processes are efficient and effective”. The rule isn’t changing any time soon – so the importance of compliance only grows. Diverting resources from growth to compliance is a tough decision, but it’s a strategic one.  But Global Relay provides compliance solutions to help you reap the rewards from that strategic decision. Book a demo to learn more.

< Back to the hub

About Article

Published 17 June 2024

About Author

Share Article