SEC REQUEST FOR COMMENTS ON REVISED NASD BUSINESS CONTINUITY PLAN RULE PROPOSAL

[16623] October 7, 2003 TO: OPERATIONS COMMITTEE No. 21-03 SEC RULES COMMITTEE No. 80-03 SMALL FUNDS COMMITTEE No. 26-03 UNIT INVESTMENT TRUST MEMBERS No. 33-03 RE: SEC REQUEST FOR COMMENTS ON REVISED NASD BUSINESS CONTINUITY PLAN RULE PROPOSAL The Securities and Exchange Commission has published for comment a notice of proposed amendments to a rule proposal issued by the National Association of Securities Dealers, Inc. related to business continuity plans and emergency contact information.1 The Release is attached, and it is summarized below. NASD Rule 3510 – Business Continuity Plans Proposed Rule 3510 would require each NASD member firm to: (1) create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption; (2) conduct an annual review of the plan and update it as conditions warrant; (3) include in the plan certain specified elements;2 and (4) designate a member of the firm’s senior management (specifically, a registered principal) to approve the plan and be responsible for conducting the required annual review. 1 SEC Release No. 34-48503 (September 17, 2003); 68 Fed. Reg. 55686 (September 26, 2003) (“Release”). The Release is available from the Commission’s web site at http://www.sec.gov/rules/sro/34-48503.htm. As we previously informed you, NASD issued a rule proposal last year to require all NASD members, including mutual fund principal underwriters, to create and maintain business continuity plans (proposed NASD Rule 3510) and supply NASD with emergency contact information (proposed NASD Rule 3520). See Memorandum to Operations Members No. 13-02, SEC Rules Members No. 27-02, and Small Funds Members No. 11-02 (#14670), dated April 25, 2002. The Institute submitted a comment letter on the NASD’s proposal. See Memorandum to Operations Members No. 15-02, SEC Rules Members No. 36-02, and Small Funds Members No. 14-02 (#14724), dated May 15, 2002. The SEC subsequently published a revised version of the NASD’s proposed rule for comment, and the Institute submitted another comment letter at that time. See Memorandum to Operations Members No. 29-02, SEC Rules Members No. 86-02, and Small Funds Members No. 41-02 (#15218), dated October 3, 2002. 2 The proposed rule would require the plan, at a minimum, to address the following areas: (1) data back-up and recovery; (2) all mission critical systems; (3) financial and operational assessments; (4) alternate communications between customers and the firm; (5) alternate communications between the firm and its employees; (6) business constituent, bank and counter- party impact; (7) regulatory reporting; and (8) communications with regulators. In response to an Institute comment, however, the proposed rule previously was revised to clarify that if any of these categories is not applicable, the member’s business continuity plan would not have to address it (although the plan would have to document the reason for not including such category). 2 In response to concerns expressed by a commenter that the proposed rule would impose an obligation on member firms to continue operating their business after a significant business disruption, NASD has proposed amendments to the proposal to clarify that the rule would not create any such obligation. Specifically, the proposed amendments would eliminate the requirement that each business continuity plan must be reasonably designed to enable the member to “continue its business in the event of future significant business disruptions,” and replace it with a requirement that such plan be reasonably designed to enable the member to “meet its existing obligations to customers.”3 The proposed amendments also would require each firm’s business continuity plan to address how it will assure customers’ prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business. NASD also has proposed amendments that would require each member to disclose to its customers in writing how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope.4 The Release explains that this requirement would enable investors to make an educated decision about whether to place their funds and securities at the specific member based on the firm’s business continuity planning, and also would deter firms from creating plans that do not adequately address contingency planning. NASD Rule 3520 – Emergency Contact Information Proposed Rule 3520 would require each NASD member firm to: (1) provide NASD with certain emergency contact information for at least two emergency contact persons, each of which must be a member of senior management and a registered principal; and (2) promptly update its emergency contact information in the event of any material change. To ensure the accuracy of this information, NASD proposes to amend the proposal to require each firm to review and, if necessary, update its emergency contact information, including designation of two emergency contact persons, within 17 business days after the end of each calendar quarter. The amendments also would require each firm to have adequate controls and procedures to ensure that only the member’s Executive Representative may perform the review and update. Comments on the proposal are due to the SEC by October 17, 2003. If you have comments that you would like the Institute to consider in a possible comment letter, please provide them to Barry Simmons at (202) 326-5923 (phone), at (202) 326-5827 (fax), or at bsimmons@ici.org (email), or Frances Stadler at (202) 326-5822 (phone), at (202) 326-5827 (fax), or at frances@ici.org (email) by Friday, October 10th. Barry E. Simmons Associate Counsel 3 See Rule 3510(a). 4 The Release adds that at a minimum, such disclosures should be made in writing to customers at account opening, posted on the member’s Internet web site (if the member maintains a web site), and mailed to customers upon request. In addition, the Release clarifies that members need not disclose their actual plans; rather, members are permitted to create a summary of how their plan addresses the possibility of significant business disruptions and disclose the member’s general planned responses to significant business disruptions.