9052 - NFA COMPLIANCE RULE 2-38: BUSINESS CONTINUITY AND DISASTER RECOVERY PLAN
(Board of Directors, July 1, 2003)
Since the events of September 11, 2001, the financial services industry has devoted increased attention to issues relating to disaster recovery plans. NFA's Board of Directors (Board) believes that disaster recovery and business continuity issues are of utmost importance and that NFA should be proactive in ensuring that its Members have adequate disaster recovery plans in place. As a result, NFA's Board recently adopted NFA Compliance Rule 2-38 to require all Members to adopt a business continuity and disaster recovery plan (Plan).
Compliance Rule 2-38 is broadly written to provide Members with the flexibility to adopt a Plan tailored to their individual needs. NFA recognizes that the exact form of the Plan adopted by a Member will vary based on a number of factors, including the size and complexity of the Member's business and the firm's resources. Nevertheless, the Board believes Members need additional guidance on the essential components of a Plan and what is required to maintain a Plan. This interpretive notice provides that guidance.
Compliance Rule 2-38 requires Members to have a Plan reasonably designed to enable them to continue operating, to reestablish operations, or to transfer their business to other Members with minimal disruption to their customers, other Members, and the commodity futures markets. A Plan should address the following, as applicable:
- Establishing back-up facilities, systems, and personnel that are located in one or more reasonably separate geographic areas from the Member's primary facilities, systems, and personnel (e.g. primary and back-up facilities should be located in different power grids and different telecommunication vendors should be used), which may include arrangements for the temporary use of facilities, systems, and personnel provided by third parties;
- Backing up or copying essential documents and data (e.g. general ledger) on a periodic basis and storing the information off-site in either hard-copy or electronic format;
- Considering the impact of business interruptions encountered by third parties and identifying ways to minimize that impact; and
- Developing a communication plan to contact essential parties such as employees, customers, carrying brokers, vendors and disaster recovery specialists.
These components are minimum areas that should be addressed in Members' Plans. A Member's Plan should also address any other areas that are essential to its business operations. An effective Plan will be designed to meet the Member's individual situation and needs.
Maintaining the Plan
In order for a Member's Plan to remain effective, the Member must update its Plan as necessary to respond to material changes in the Member's operations. Each Member must also periodically conduct and evidence reasonable reviews designed to assess the Plan's effectiveness.
Even the best Plan is useless if it is not available when needed. Therefore, each Member should distribute and explain the Plan to its key employees and communicate the essential components of the Plan to all employees. Each Member should also maintain copies of the Plan at one or more off-site locations that are readily accessible to key employees.
NFA Compliance Rule 2-38 requires NFA Members to establish and maintain business continuity and disaster recovery plans that are consistent with this interpretive notice. The Rule provides Members with flexibility in developing those Plans, and each Member should adopt a Plan that meets its individual situation and needs.