Business Continuity Standards for US Financial Institutions
| FFIEC: Business Continuity Planning Booklet (2008) |
The FFIEC is responsible for establishing standards to which financial institutions are held. The 2008 version focused on the role of the board and senior management, the addition of pandemic planning, a push toward risk management integration, the emphasis of proactive risk mitigation, and the overall attempt to eliminate ambiguity. This is a mandatory regulatory requirement. |
Applies to the US banks and their service providers |
|
FFIEC: Interagency Statement on Pandemic Planning (2007)
NOTE: Now included in the 2008 FFIEC Business Continuity Planning Booklet |
The statement outlines actions and strategies financial institutions should strongly consider when developing pandemic plans and strategies. The guidance is not mandatory, but most financial institutions should strongly consider implementing the strategies to meet supervisory expectations. This statement is not a regulatory requirement, but highly encouraged by regulatory agencies. |
Applies to US financial institutions and their service providers |
| White Paper on Strengthening the Resilience of US Financial System (2002) |
The paper advises larger financial institutions on steps necessary to protect the financial system with three new business continuity objectives including; rapid recovery of critical operations following a wide-scale disruption, rapid recovery following loss of staff, and a high level of confidence that internal and external continuity arrangements are effective. The guidance contained in this white paper is often viewed as mandatory for select financial service entities. |
Applies to all US institutions proding financial services, especially those deemed "critical" by the agencies. The requirements do not, however, apply to the recovery of trading operations or retail financial services |
| SEC 17 CFR 240 (2005) |
SEC regulations require that financial transaction histories be maintained for all electronic securities transactions, and backup power be in place to maintain continuity. This requlatory requirement is mandatory for applicable entities. |
Applies to the US securities broker-dealer industry |
| GLBA: Gramm-Leach-Bliley Act (1999) |
The GLBA provisions are intended to protect consumers' personal financial information held by financial insitutions and gives authority to eight federal agencies and the states to administer and enforce. The Act also dictates that institutions should take measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. This requlatory requirement is mandatory for applicable entities. |
Applies to all US financial institutions which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers |
| NYSE Rule 446 / NASD 3510/3520 (2004) |
Rule requires members establish and maintain business continuity strategies and plans relating to an emergency or significant business disruption. It also requires that members' plans be reasonably designed to enable it to meet its existing obligations to customers. This requlatory requirement is mandatory for applicable entities. |
Applies to all members and member organization of the NYSE or NASD |
|