NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan
Since the events of September 11, 2001, the financial services industry has devoted increased attention to issues relating to disaster recovery plans. NFA's Board of Directors (Board) believes that disaster recovery and business continuity issues are of utmost importance and that NFA should be proactive in ensuring that its Members have adequate disaster recovery plans in place. As a result, NFA's Board recently adopted NFA Compliance Rule 2-38 to require all Members to adopt a business continuity and disaster recovery plan (Plan).
Compliance Rule 2-38 is broadly written to provide Members with the flexibility to adopt a Plan tailored to their individual needs. NFA recognizes that the exact form of the Plan adopted by a Member will vary based on a number of factors, including the size and complexity of the Member's business and the firm's resources. Nevertheless, the Board believes Members need additional guidance on the essential components of a Plan and what is required to maintain a Plan. This interpretive notice provides that guidance.
Compliance Rule 2-38 requires Members to have a Plan reasonably designed to enable them to continue operating, to reestablish operations, or to transfer their business to other Members with minimal disruption to their customers, other Members, and the commodity futures markets. A Plan should address the following, as applicable:
These components are minimum areas that should be addressed in Members' Plans. A Member's Plan should also address any other areas that are essential to its business operations. An effective Plan will be designed to meet the Member's individual situation and needs.
Maintaining the Plan
In order for a Member's Plan to remain effective, the Member must update its Plan as necessary to respond to material changes in the Member's operations. Each Member must also periodically conduct and evidence reasonable reviews designed to assess the Plan's effectiveness.
Even the best Plan is useless if it is not available when needed. Therefore, each Member should distribute and explain the Plan to its key employees and communicate the essential components of the Plan to all employees. Each Member should also maintain copies of the Plan at one or more off-site locations that are readily accessible to key employees. NFA Compliance Rule 2-38 requires NFA Members to establish and maintain business continuity and disaster recovery plans that are consistent with this interpretive notice. The Rule provides Members with flexibility in developing those Plans, and each Member should adopt a Plan that meets its individual situation and needs.