Self-Regulatory Organizations; Notice of Filing of Amendment Nos. 1, 2, and 3 to a Proposed Rule Change by the National Association of Securities Dealers, Inc. Relating to Business Continuity Plans and Emergency Contact Information

Pursuant to section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) and Rule 19b-4 thereunder, the National Association of Securities Dealers, Inc. (“NASD”), on August 7, 2002, filed with the Securities and Exchange Commission (“Commission”), a proposed rule change to require its members to establish and maintain business continuity plans. The Commission published the proposed rule change in the Federal Register on September 9, 2002. The Commission received three comments in response to the Original Notice. The NASD submitted amendments to the proposed rule change on December 12, 2002; January 8, 2003; and February 19, 2003. The Commission is publishing this notice of Amendment Nos. 1, 2, and 3 to solicit comments on the proposed rule change, as amended, from interested persons.

I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change

The NASD is proposing to clarify that the proposed rule change, which would require member firms to create and maintain business continuity plans and to provide the NASD with certain information to be used in the event of future significant business disruptions, also would require members' business continuity plans to be reasonably designed to enable members to continue their business in the event of a significant business disruption. Below is the text of the proposed rule change, as amended. The base rule text is that proposed in the Original Notice. Language added by Amendments Nos. 1, 2 and 3 is italicized; language deleted by the amendments is in brackets.

3500. Emergency Preparedness

3510. Business Continuity Plans

(a) Each member must create and maintain a written business continuity plan identifying procedures [to be followed in the event of] relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to continue its business in the event of future significant business disruptions. The business continuity plan must be made available promptly upon request to NASD staff.

(b) Each member must update its plan in the event of any material change to the member's operations, structure, business, or location. Each member must also conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location.

(c) The [requirements of] elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of a member. Each plan, however, must at a minimum, address:

(1) Data back-up and recovery (hard copy and electronic);

(2) All mission critical systems;

(3) Financial and operational assessments;

(4) Alternate communications between customers and the member;

(5) Alternate communications between the member and its employees;

(6) Business constituent, bank, and counter-party impact;

(7) Regulatory reporting; and

(8) Communications with regulators.

Each member must address the above-listed categories to the extent applicable and necessary to enable the member to continue its business in the event of a future significant business disruption. If any of the above-listed categories is not applicable, the member's business continuity plan need not address the category. The member's business continuity plan, however, must document the rationale for not including such category in its plan. If a member relies on another entity for any one of the above-listed categories or any mission critical system, the member's business continuity plan must address this relationship.

(d) Members must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review. The member of senior management must also be a registered principal.

[d](e) For purposes of this rule, the following terms shall have the meanings specified below:

(1) “Mission critical system” means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.

(2) “Financial and operational assessment” means a set of written procedures that allows a member to identify changes in its operational, financial, and credit risk exposures.

3520. Emergency Contact Information

(a) Each member shall report to NASD, via such electronic or other means as NASD may require, prescribed emergency contact information for the member. Among other things, t[T]he emergency contact information for the member includes designation of two emergency contact persons. Each emergency contact person shall be a member of senior management and a registered principal of the member.

(b) Each member must promptly update its emergency contact information, via such electronic or other means as NASD may require, in the event of any material change[, but at a minimum must review the information contained therein twice a year to ensure its accuracy].

II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

In its filing with the Commission, the NASD included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The NASD has prepared summaries, set forth in Sections A, B, and C below, of the most significant aspects of such statements.

A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

1. Purpose

The purpose of Amendment No. 3 is to clarify that the language of proposed NASD Rule 3510 is intended to require not only that members conduct a planning process to create a written business continuity plan, but also that the plan resulting from this process be reasonably designed to enable members to continue their business in the event of a future significant business disruption.

As described in detail in the Original Notice, following the tragic events of September 11, 2001, and after an extensive survey of the business continuity practices of members, the NASD proposed two new rules, Rules 3510 and 3520. Proposed NASD Rule 3510 would require members to create and maintain business continuity plans. In developing this rule, the NASD recognized the diversity in size, structure, operations, and business of its members. Each member's plan would be required, at a minimum, to address eight areas specified in the proposed rule change, which the NASD believes are essential to a broker-dealer's business continuity plan.

Proposed NASD Rule 3510 also would require members to update their business continuity plans based on any material change to the member's operations, structure, business, or location. In addition, members would be required to conduct an annual review of their plans to determine whether any modifications are needed in light of any changes to the member's operations, structure, business, or location. Finally, members would be required to designate a member of senior management to approve the plan and conduct the annual review.

The NASD's experience in the aftermath of September 11th also confirmed that the NASD needs a fully reliable means of contacting firms in the event of an emergency. Proposed NASD Rule 3520 would require members to file and keep current with the NASD certain key information that would be of particular importance during significant business disruptions, including:

• Emergency contact information for key staff;
• Identification of two designated contact persons;
• Location of books and records (including back-up locations);
• Clearance and settlement information;
• Identification of key banking relationships; and
• Alternative communication plans for investors.

The purpose of Amendment No. 3 is to address concerns that a literal reading of proposed NASD Rule 3510, as set forth in the Original Notice, could suggest that the rule would require members only to create, maintain, and periodically review a business continuity plan, but would not require that members' plans be effective in enabling members to continue their business in the event of a future significant business disruption. The NASD did not intend to propose a rule of such limited scope. In this regard, in its description of the purpose of the proposed rule change, the NASD stated that “[t]he purpose of the proposed rule change is to help to ensure that NASD members will be able to continue their business in the event of future significant business disruptions.” The NASD believes that members should be obligated to develop a business continuity plan that is reasonably designed, in light of particular characteristics of the firm, to allow the firm to recover as early as practicable in the event of a future significant business disruption.

Therefore, the NASD is proposing to amend proposed NASD Rules 3510(a) and 3510(c) to clarify that the rule is intended to require not only that members conduct a planning process to create a written business plan, but also that the plan resulting from this process be reasonably designed to enable the member to continue its business in the event of future significant business disruptions. The NASD notes that the amended rule language is consistent with NASD rules in other areas where reasonableness standards have been adopted because the diversity of the NASD's membership made specific standards impracticable. The NASD believes that, in light of the concerns regarding the clarity of the original proposed rule text, this amendment to the proposed rule change should be published for comment to ensure that interested persons are given notice of the clarification and an opportunity to comment thereon.

2. Statutory Basis

The NASD believes that the proposed rule change, as amended, is consistent with the provisions of section 15A(b)(6) of the Act, which requires, among other things, that the NASD's rules be designed to prevent fraudulent and manipulative acts and practices; to promote just and equitable principles of trade; and, in general, to protect investors and the public interest. The NASD believes that the proposed rule change, as amended, which would help to ensure that members are prepared for significant business disruptions, is consistent with those purposes.

B. Self-Regulatory Organization's Statement on Burden on Competition

The NASD does not believe that the proposed rule change, as amended, would result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act.

C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others

Written comments were received in response to Notice to Members 02-23 (April 2002) and the Original Notice. The NASD received 32 comment letters following publication of the Notice to Members. The NASD received three comment letters in response to the Original Notice. In response to these comment letters, the NASD identified the following issues that warranted amendments and/or further clarification.

Categories of a Member's Business Continuity Plan

Proposed NASD Rule 3510(c) would state that the “requirements of a business continuity plan are flexible and may be tailored to the size and needs of a member.” The rule would require that each plan must, at a minimum, address eight key categories.

These categories are: (1) Data back-up and recovery (hard copy and electronic); (2) all mission critical systems; (3) financial and operational assessments; (4) alternate communications between customers and the member; (5) alternate communications between the member and its employees; (6) business constituent, bank, and counter-party impact; (7) regulatory reporting; and (8) communications with regulators.

In the Original Notice, the NASD stated that “each member's business continuity plan will only be required to address the eight listed categories * * * to the extent applicable and necessary.” One commenter believed that NASD Rule 3510 should specifically state this interpretation directly in the rule text. In response, the NASD in Amendment No. 2 proposed to revise proposed Rule 3510(c) to include the following statement:

Each member must address the above-listed categories to the extent applicable and necessary to ensure the continuity of its business in the event of a future significant business disruption. If any of the above-listed categories is not applicable, the member's business continuity plan need not address the category. The member's business continuity plan, however, must document the rationale for not including such category in its plan. If a member relies on another entity for any one of the above-listed categories or any mission critical system, the member's business continuity plan must address this relationship.

The NASD believes that this proposed language would ensure that members understand that, if any of the categories are not applicable, the member would still be required to document the rationale for not including such category in its business continuity plan. For example, if a member's books and records are kept at its clearing firm, the member's plan would be required to address this fact as well as the relationship with (including the identity of) the clearing firm.

Requirement To Update Business Continuity Plans

Proposed NASD Rule 3510(b) would require that each member conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business, or location. Some commenters believed that the yearly review requirement was inadequate. Although commenters cited different events that should trigger an update of a business continuity plan, most commenters who dissented believed that plans should be updated more frequently.

The NASD believes that, at a minimum, an annual review of the plan is necessary. In response to member and industry comment, the NASD in Amendment No. 1 revised the proposed rule language to expand upon this requirement and include the following language:

Each member must update its plan in the event of any material change to the member's operations, structure, business or location. Each member also must conduct an annual review of its plan to determine whether any modifications are necessary in light of changes to the member's operations, structure, business or location.

This added language emphasizes that members must promptly update their business continuity plans whenever there is a material change in a member's operations, structure, business, or location that affects the information set forth in the business continuity plan. This requirement would be in addition to the yearly review requirement.

Business Constituent, Bank, and Counter-Party Impact

One of the categories that members' business continuity plans would be required to address is “business constituent, bank, and counter-party impact.” Commenters sought clarification of this category. The NASD believes that, under this category, firms should have procedures that assess the impact that a significant business disruption has on business constituents (businesses with which a member firm has an on-going commercial relationship pertaining to the support of the member's operating activities), banks (lenders), and counter-parties (such as other broker-dealers or institutional customers). In addition, the NASD believes that members should provide for alternative actions or arrangements with respect to their contractual relationships with business constituents, banks, and counter-parties upon the occurrence of a material business disruption to either party.

Category of Books and Records Back-Up and Recovery

One of the categories that members' business continuity plans must address is “books and records back-up and recovery (hard copy and electronic).” One commenter requested clarification of whether the rule would create a requirement that members have both hard copy and electronic books and records. While proposed NASD Rule 3510 refers to the types of books and records that a firm might maintain, it does not mandate that members keep book and records (and back-up books and records) in both hard copy and electronic formats. To determine what records (and in what format) firms must retain, members should refer to Commission and NASD rules and interpretative materials specifically addressing record retention requirements, such as Rule 17a-4 under the Act and NASD Rule 3110.

Application of Proposed Rule to Subsidiaries

In the Original Notice, the NASD stated that it believes that a subsidiary member firm may satisfy its obligations under the proposed rule by participating in a corporate-wide business continuity plan of a parent corporation that addresses its subsidiary member firms. As a result, a subsidiary member firm could rely on the corporate-wide business continuity plan of its parent corporation, regardless of whether the parent corporation is a member or non-member. The Original Notice, however, stated that the parent corporation's business continuity plan would have to comply fully with proposed NASD Rule 3510 and address all requirements under the proposed rule. In addition, it noted that the parent and subsidiary corporations would both be required to comply with NASD rules on recordkeeping and supervision for purposes of proposed NASD Rule 3510, and that the parent corporation would be required to grant NASD access to its business continuity plan upon request.

One commenter believed that it would not be appropriate to subject non-member firms to these NASD requirements, nor would it be necessary. The NASD, however, believes that, if a member chooses to participate in a parent company's corporate-wide business continuity plan, the record-keeping of that plan and any supervision of the creation, execution, or updating of that plan must comply with NASD rules on record-keeping and supervision. Participating in a corporate-wide business continuity plan is merely an alternative and is intended to give firms greater flexibility in complying with the proposed rule.

Senior Management Approval

The NASD is proposing to amend the text of proposed NASD Rule 3510 to include new subsection (d) to conform the NASD's proposed rule with the NYSE's proposed business continuity rule. The NASD agrees with the requirement set forth in the NYSE proposal that a member of senior management and a registered principal should approve a member's business continuity plan, including any updates to the plan, to ensure that the creation and maintenance of any plan is reviewed and approved by persons with appropriate expertise and seniority.

Emergency Contact Information

Proposed NASD Rule 3520 would require members to provide the NASD with emergency contact information and update any information upon the occurrence of a material change. One commenter suggested that the NASD take a proactive role in gathering emergency contact information. As stated in the Original Notice, the NASD believes that this duty should lie with the member firm because the member will be best able to identify when a material change has taken place. Nevertheless, the NASD in Amendment No. 1 proposed to revise proposed Rule 3520(b) to require members to promptly update any changes to their emergency contact information. In addition, the NASD is eliminating the semi-annual update requirement from the rule text. Rather, to be consistent with other contact information required by the NASD and periodic updates required by the NYSE, the NASD will issue future guidance on a periodic update requirement. The NASD also is amending proposed NASD Rule 3520(a) to include the phrase “[a]mong other things” to emphasize that the NASD is requiring other contact information in addition to designating two emergency contact persons.

III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action

Within 35 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding, or (ii) as to which the self-regulatory organization consents, the Commission will:

(A) by order approve such proposed rule change; or

(B) institute proceedings to determine whether the proposed rule change should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change, as amended, is consistent with the Act. Persons making written submissions should file six copies thereof with the Secretary, Securities and Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549-0609. Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room. Copies of such filing will also be available for inspection and copying at the principal office of the NASD. All submissions should refer to File No. SR-NASD-2002-108 and should be submitted by March 31, 2003.