View PDF

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

Federal Reserve Bank of Dallas
2200 N. PEARL ST.
DALLAS, TX 75201-2272

April 18, 2003

Notice 03-21

TO: The Chief Executive Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District

SUBJECT
Interagency Paper on Sound Practices to Strengthen
the Resilience of the U.S. Financial System
DETAILS
The Federal Reserve Board, the Office of the Comptroller of the Currency, and the
Securities and Exchange Commission have published an interagency paper titled Sound
Practices to Strengthen the Resilience of the U.S. Financial System. The Federal Reserve Bank
of New York also participated in drafting the paper.
The paper identifies three new business continuity objectives that have special
importance in the post-September 11 risk environment for all financial firms. The paper also
identifies four sound practices that focus on minimizing the immediate systemic effects of a
wide-scale disruption on critical financial markets to ensure the resilience of the U.S. financial
system. The agencies expect organizations that fall within the scope of this paper to adopt the
sound practices within the specified implementation timeframes, as described in more detail in
the paper.
ATTACHMENT
A copy of the agencies’ paper as it appears on pages 17809–14, Vol. 68, No. 70 of the
Federal Register dated April 11, 2003, is attached.

For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.

-2-

MORE INFORMATION
For more information, please contact Jeffrey Marquardt, (202) 452-2360, or Angela
Desmond, (202) 452-3497, Board of Governors of the Federal Reserve System. Paper copies of
this notice or previous Federal Reserve Bank notices can be printed from our web site at
http://www.dallasfed.org/banking/notices/index.html.

Federal Register / Vol. 68, No. 70 / Friday, April 11, 2003 / Notices

[Docket No. R–1128]

DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
[Docket No. 03–05]

SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–47638; File No. S7–32–02]

Interagency Paper on Sound Practices
To Strengthen the Resilience of the
U.S. Financial System
AGENCIES: Board of Governors of the
Federal Reserve System; Office of the
Comptroller of the Currency; and
Securities and Exchange Commission.
ACTION: Issuance of interagency paper.
SUMMARY: The Federal Reserve Board
(Board), the Office of the Comptroller of
the Currency (OCC) and the Securities
and Exchange Commission (SEC) are
publishing an Interagency Paper on
Sound Practices to Strengthen the
Resilience of the U.S. Financial System.
The Federal Reserve Bank of New York
also participated in drafting the paper.
The paper identifies three new business
continuity objectives that have special
importance in the post-September 11
risk environment for all financial firms.
The paper also identifies four sound
practices to ensure the resilience of the
U.S. financial system, which focus on
minimizing the immediate systemic
effects of a wide-scale disruption on
critical financial markets. The agencies
expect organizations that fall within the
scope of this paper to adopt the sound
practices within the specified
implementation timeframes, as
described in more detail in the paper.
FOR FURTHER INFORMATION CONTACT:
Board: Jeffrey Marquardt, Associate
Director, Division of Reserve Bank
Operations and Payment Systems (202)
452–2360; or Angela Desmond,
Assistant Director, Division of Banking
Supervision and Regulation (202) 452–
3497.
OCC: Ralph Sharpe, Deputy
Comptroller for Bank Technology (202)
874–4572; or Aida Plaza Carter,
Director, Bank Information Technology
Operations (202) 874–4740.
SEC: Robert Colby, Deputy Director,
Division of Market Regulation (202)
942–0094; David Shillman, Counsel to
the Director, Division of Market
Regulation (202) 942–0072; or Peter
Chepucavage, Attorney Fellow, Division
of Market Regulation (202) 942–0163.

VerDate Jan<31>2003

14:26 Apr 10, 2003

Jkt 200001

On
September 5, 2002, the Board of
Governors of the Federal Reserve
System, Office of the Comptroller of the
Currency, and the Securities and
Exchange Commission published for
comment a Draft Interagency White
Paper on Sound Practices to Strengthen
the Resilience of the U.S. Financial
System.1 The draft white paper
emphasized the criticality of protecting
the financial system from serious new
risks posed in the post-September 11
environment and described a series of
sound practices that were identified by
industry participants during a series of
interviews and meetings with the
agencies. Approximately 90 comment
letters were submitted to one or more of
the agencies by clearing and settlement
system operators; banking organizations;
investment banking firms; industry
associations; technology companies;
Federal, State and local officials; and
other interested parties and are
summarized below. After reviewing the
comments and continuing their dialogue
with interested persons, the agencies are
issuing this revised final interagency
paper.
The sound practices identified in the
paper are intended to supplement the
agencies’ respective policies and other
guidance on business continuity
planning by financial institutions. The
sound practices focus on establishing
robust back-up facilities for those backoffice activities necessary to recover
clearance and settlement activities for
the wholesale financial system in times
of serious disruption and therefore do
not address issues relating to trading
operations or to retail financial services.
The agencies are not recommending that
firms move their primary offices,
primary operating sites, or primary data
centers out of metropolitan locations.
The agencies expect organizations that
fall within the scope of this paper to
adopt the sound practices within the
specified implementation timeframes, as
described in more detail in the paper.
SUPPLEMENTARY INFORMATION:

FEDERAL RESERVE SYSTEM

Summary of Comments
The commenters generally support
the agencies’ efforts to improve the
resilience of the financial markets and
agree with the goals outlined in the draft
white paper. Most commenters agree
with the sound practices in principle,
but propose a number of modifications
and clarifying changes to the document.
In general, the commenters prefer that
the agencies retain a ‘‘sound practices
paper format’’ rather than adopt a
regulatory approach that could be
susceptible to a ‘‘one size fits all’’
1 67

PO 00000

FR 56835, September 5, 2002.

Frm 00041

Fmt 4703

Sfmt 4703

17809

application. They also ask that the
agencies coordinate supervisory
expectations with each other and with
other regulatory authorities as necessary
to assure a consistent approach.
There was broad consensus with the
goal of ensuring that key organizations
in critical financial markets are able to
recover clearing and settlement
activities in the event of a wide-scale
disruption as rapidly as possible.
Commenters agree with the definitions
of critical financial markets and critical
activities, but ask that the agencies make
clear that the sound practices apply to
back-office operations and not to trading
activities or retail products. They also
believe that the description of core
clearing and settlement organizations is
sufficient. Commenters ask for
additional guidance to assist in
identifying firms that play significant
roles in critical financial markets and
generally agree that a market share
benchmark should be established; a few
commenters recommend adopting a
dollar volume benchmark. A few
commenters suggest that benchmarks
should vary by market based on the
amount of concentration of key
participants in the critical financial
markets. Some commenters note the
importance of firms being able to selfdetermine whether they fall into a
particular category for a critical
financial market, while others ask that
the agencies contact organizations that
appear to meet the definition for core
clearing and settlement organizations or
firms that play significant roles in
critical markets. Several commenters
acknowledge that the sound practices
would effectively raise market
expectations with respect to the
resilience of all financial firms.
A number of commenters state that
the description of a wide-scale, regional
disruption should include parameters
for a range of probable events (e.g.,
power disruption, natural disaster) and
include the expected duration of the
outage (e.g., 5, 10, or 30 days). Other
commenters note that such specification
is unnecessary.
The commenters agree that a withinthe-business-day recovery and
resumption objective for core clearing
and settlement organizations is
appropriate and acknowledge that a
two-hour recovery time objective is an
achievable goal, although somewhat
aggressive for some because of the
volume and complexity of transaction
data involved. There is general
consensus that the end-of-business-day
recovery objective is achievable for
firms that play significant roles in
critical markets, although many state
that this is possible only if firms are able

E:\FR\FM\11APN1.SGM

11APN1

17810

Federal Register / Vol. 68, No. 70 / Friday, April 11, 2003 / Notices

to utilize synchronous data storage
technologies, which can limit the extent
of geographic separation between
primary and back-up sites. A number of
commenters note that a recovery time
objective of four hours is unrealistic
unless core clearing and settlement
organizations and the
telecommunications infrastructure are
operating. 2 Some commenters suggest
that recovery and resumption time
objectives should vary by type of
market. Other commenters note that
further guidance on the definitions of an
‘‘event’’ and ‘‘end-of-business day’’ is
needed to help ensure meaningful
recovery and resumption time
objectives.
A number of commenters support the
concept of establishing back-up sites for
operations and data centers that do not
rely on the same infrastructure and
other risk elements as primary sites and
note that such diversification of risk is
a long-standing principle of business
continuity planning for financial firms.
Most commenters oppose establishing
any minimum distance requirement
between primary and back-up facilities,
citing the need for sufficient flexibility
to manage costs effectively and allow for
technological improvements. A few
commenters believe that establishing
minimum separation is appropriate and
achievable. A number of commenters
express concern that out-of-region backup sites, including those of third-party
service providers, often are
geographically concentrated, creating
additional risk in the event of a targeted
attack or wide-scale disruption affecting
those areas. Some commenters ask for
additional guidance on how to address
various infrastructure components, such
as water supply sources. A few
commenters indicate that they are
exploring overseas locations as part of
their recovery and resumption solutions
and ask for some assurances that
domestic and foreign financial
authorities will permit such
arrangements.
Commenters note that firms should be
permitted to address critical staffing
2 Many commenters state that the recovery of
financial systems can only be achieved if the
telecommunications infrastructure is up and
running across the nation. Firms identify a number
of industry efforts to explore common infrastructure
issues and possible solutions to ensure diversity of
circuit routing and other reliability issues.
Commenters raising this issue ask the agencies to
continue to raise the issue of telecommunications
infrastructure resilience with federal and state
agencies, including the Federal Communications
Commission, the National Security
Telecommunications Advisory Committee and the
Department of Homeland Security. The agencies are
taking numerous actions to help direct attention to
improving the resilience of the telecommunications
infrastructure.

VerDate Jan<31>2003

14:26 Apr 10, 2003

Jkt 200001

needs sufficient to recover from a widescale disruption, but should not be
required to maintain a separate
redundant staff at their back-up
locations, which would be costly and
inefficient. Others advocate maintaining
a back-up site with staff able to perform
critical clearing and settlement activities
routinely (through two or more active
production sites) or on an emergency
basis (e.g., through cross-training staff).
Commenters state that permitting firms
to adopt a risk-based approach to
planning geographically dispersed backup arrangements would allow
institutions to focus on those scenarios
that pose the greatest threat and manage
labor needs more effectively.
Most commenters agree that routine
use or testing of back-up facilities is
necessary and beneficial to ensure
financial system viability. They also
suggest that testing should be ‘‘end-toend’’ involving telecommunication
firms, third-party service providers, and
securities exchanges.
A majority of commenters state that
plans to meet sound practices could be
developed within a year after the
agencies issue their final views. There is
general consensus that sound practices
can be implemented over a relatively
short (two to three year) time period, if
the agencies provide sufficient
flexibility to accommodate the unique
risk profile and planning and
investment cycles of each institution.
Commenters note that extending
implementation schedules would help
to mitigate the costs of building greater
resilience into business continuity
arrangements, although there was also
recognition that the post-September 11
risk environment requires that
achievement of the sound practices
needs to be accomplished within a
reasonably short time frame by peer
firms. Some commenters warn that strict
application of the sound practices or
establishment of minimum distance and
staffing requirements could require
firms to bear excessive costs with the
result that some might exit particular
markets, leading to further
concentration, decreased liquidity, and
higher overall costs for participants in
those markets. Several commenters
expressed concern that the sound
practices might result in significant
employment losses and other negative
impacts on the economy and tax base of
the New York City metropolitan area.
Virtually all commenters state that the
core clearing and settlement
organizations should establish more
aggressive implementation timetables
than other firms. Commenters also
recognize that firms should set
implementation benchmarks in their

PO 00000

Frm 00042

Fmt 4703

Sfmt 4703

plans to assess progress. Some
commenters assert that the incremental
cost of achieving the sound practices
should be subsidized, all or in part, by
the government.
The agencies have incorporated many
of the suggestions that were made by the
commenters. The revised paper is more
succinct, and generally provides more
flexibility to firms in managing
geographic diversity of back-up
facilities, staffing arrangements, and
cost-benefit considerations. It also
provides more specificity as to the scope
of application of the sound practices as
well as the implementation guidelines.
No specific mileage requirements or
technology solutions are mandated.
Accordingly, the agencies are issuing
this final version of the interagency
paper on sound practices to strengthen
the resilience of the U.S. financial
system.
Interagency Paper on Sound Practices
To Strengthen the Resilience of the U.S.
Financial System
Introduction and Background
The Federal Reserve, the Office of the
Comptroller of the Currency, and the
Securities and Exchange Commission
(the agencies) are issuing this
Interagency Paper on Sound Practices to
Strengthen the Resilience of the U.S.
Financial System to advise financial
institutions on steps necessary to
protect the financial system in light of
the new risks posed by the postSeptember 11 environment. The sound
practices build upon long-standing
principles of business continuity
planning and reflect actions identified
by industry members that will
strengthen the overall resilience of the
U.S. financial system in the event of a
wide-scale disruption.
The agencies have identified broad
industry consensus on three business
continuity objectives that have special
importance after September 11 for all
financial firms. The agencies also have
identified sound practices that focus on
minimizing the immediate systemic
effects of a wide-scale disruption on
critical financial markets. The sound
practices focus on the appropriate backup capacity necessary for recovery and
resumption of clearance and settlement
activities for material open transactions
in wholesale financial markets. They do
not address the recovery or resumption
of trading operations or retail financial
services. The agencies are not
recommending that firms move their
primary offices, primary operating sites,
or primary data centers out of
metropolitan locations, and understand
that there are important business and

E:\FR\FM\11APN1.SGM

11APN1

Federal Register / Vol. 68, No. 70 / Friday, April 11, 2003 / Notices
internal control reasons for financial
firms to maintain processing sites near
financial markets and their own
headquarters. The agencies also
recognize that achieving the sound
practices could be a multi-year endeavor
for some firms and that it is not
necessary or appropriate to prescribe
any specific technology solution or limit
a firm’s flexibility to implement the
sound practices in a manner that reflects
its own risk profile. The sound practices
discussed in this paper supplement the
agencies’ respective policies and other
guidance on business continuity
planning.
Post-September 11 Business Continuity
Objectives
During discussions about the lessons
learned from September 11, industry
participants and others agreed that three
business continuity objectives have
special importance for all financial
firms and the U.S. financial system as a
whole:
• Rapid recovery and timely
resumption of critical operations
following a wide-scale disruption;
• Rapid recovery and timely
resumption of critical operations
following the loss or inaccessibility of
staff in at least one major operating
location; and
• A high level of confidence, through
ongoing use or robust testing, that
critical internal and external continuity
arrangements are effective and
compatible.
The events of September 11
underscored the fact that the financial
system operates as a network of
interrelated markets and participants.
The ability of an individual participant
to function can have wide-ranging
effects beyond its immediate
counterparties. Because of the
interdependent nature of the U.S.
financial markets, all financial firms
have a role in improving the overall
resilience of the financial system. It
therefore is appropriate for all financial
firms to review their business continuity
plans and incorporate these three broad
business continuity objectives to the
fullest extent practicable. In striking an
appropriate balance between the new
set of risks posed in the post-September
11 environment and the costs involved
in planning for wide-scale disruptions,
financial firms should incorporate these
new and continuing risks into their
assessment of their unique
characteristics and risk profiles. Firms
also should continue to improve upon
short-term measures that have been
instituted since September 11 and
develop longer-term business recovery
plans where gaps are identified.

VerDate Jan<31>2003

14:26 Apr 10, 2003

Jkt 200001

Definitions
The resilience of the U.S. financial
system in the event of a ‘‘wide-scale
disruption’’ rests on the rapid
‘‘recovery’’ and ‘‘resumption’’ of the
‘‘clearing and settlement activities’’ that
support ‘‘critical financial markets.’’
Some organizations, namely ‘‘core
clearing and settlement organizations’’
and ‘‘firms that play a significant role in
critical financial markets,’’ present a
type of ‘‘systemic risk’’ to the U.S.
financial system should they be unable
to recover or, in some instances, resume
clearing and settlement activities that
support those markets. These terms and
organizations are defined below.
Wide-Scale Disruption. A wide-scale
disruption is an event that causes a
severe disruption or destruction of
transportation, telecommunications,
power, or other critical infrastructure
components across a metropolitan or
other geographic area and the adjacent
communities that are economically
integrated with it; or that results in a
wide-scale evacuation or inaccessibility
of the population within normal
commuting range of the disruption’s
origin.
Systemic Risk. Systemic risk includes
the risk that the failure of one
participant in a transfer system or
financial market to meet its required
obligations will cause other participants
to be unable to meet their obligations
when due, causing significant liquidity
or credit problems or threatening the
stability of financial markets.3 Given the
complex interdependencies of markets
and among participants, thorough
preparations by key market participants
will reduce the potential that a sudden
disruption experienced by one or a few
firms will cascade into market-wide
liquidity dislocations, solvency
problems, and severe operational
inefficiencies.4
Critical Financial Markets. Critical
financial markets provide the means for
banks, securities firms, and other
financial institutions to adjust their cash
and securities positions and those of
their customers in order to manage
liquidity, market, and other risks to
their organizations. Critical financial
markets also provide support for the
provision of a wide range of financial
services to businesses and consumers in
3 The use of the term ‘‘systemic risk’’ in this paper
is based on the international definition of systemic
risk in payments and settlement systems contained
in ‘‘A glossary of terms in payment and settlement
systems,’’ Committee on Payment and Settlement
Systems, Bank for International Settlements (2001).
4 Under adverse market conditions or in the event
of credit concerns about institutions, liquidity
dislocations of the type experienced immediately
after September 11 could be seriously compounded.

PO 00000

Frm 00043

Fmt 4703

Sfmt 4703

17811

the United States. Certain markets, such
as the federal funds and government
securities markets, also support the
implementation of monetary policy. For
purposes of this paper, ‘‘critical
financial markets’’ are defined as the
markets for:
• Federal funds, foreign exchange,
and commercial paper;
• U.S. Government and agency
securities;
• Corporate debt and equity
securities.
Core Clearing and Settlement
Organizations. Core clearing and
settlement organizations consist of two
groups of organizations that provide
clearing and settlement services for
critical financial markets or act as largevalue payment system operators and
present systemic risk should they be
unable to perform. The first group
consists of market utilities (governmentsponsored services or industry-owned
organizations) whose primary purpose
is to clear and settle transactions for
critical markets or transfer large-value
wholesale payments. The second group
of core clearing and settlement
organizations consists of those privatesector firms that provide clearing and
settlement services that are integral to a
critical market (i.e., their aggregate
market share is significant enough to
present systemic risk in the event of
their sudden failure to carry on those
activities because there are no viable
immediate substitutes).
Firms that Play Significant Roles in
Critical Financial Markets. Firms that
play significant roles in critical financial
markets are those that participate (on
behalf of themselves or their customers)
with sufficient market share in one or
more critical financial markets such that
their failure to settle their own or their
customers’ material pending
transactions by the end of the business
day could present systemic risk. While
there are different ways to gauge the
significance of such firms in critical
markets, as a guideline, the agencies
consider a firm significant in a
particular critical market if it
consistently clears or settles at least five
percent of the value of transactions in
that critical market.
Recovery and Resumption of Clearing
and Settlement Activities. The rapid
recovery and resumption of critical
financial markets, and the avoidance of
potential systemic risk, requires the
rapid recovery of clearing and
settlement activities for the purpose of
completing material pending
transactions on their scheduled
settlement dates. These clearing and
settlement activities include:

E:\FR\FM\11APN1.SGM

11APN1

17812

Federal Register / Vol. 68, No. 70 / Friday, April 11, 2003 / Notices

(a) Completing pending large-value
payments;
(b) Clearing and settling material
pending transactions; 5
(c) Meeting material end-of-day
funding and collateral obligations
necessary to ensure the performance of
items (a) and (b) above;
(d) Managing material open firm and
customer risk positions, as appropriate
and necessary to ensure the
performance of items (a) through (c)
above;
(e) Communicating firm and customer
positions and reconciling the day’s
records, and safeguarding firm and
customer assets as necessary to ensure
the performance of items (a) through (d)
above; and
(f) Carrying out all support and
related functions that are integral to
performing the above critical activities.
For purposes of this paper, the terms
recovery (or recover) refers to the
restoration of clearing and settlement
activities after a wide-scale disruption; 6
resumption (or resume) refers to the
capacity to accept and process new
transactions and payments after a widescale disruption.
Sound Practices
The agencies have identified four
broad sound practices for core clearing
and settlement organizations and firms
that play significant roles in critical
financial markets. The sound practices
are based on long-standing principles of
business continuity planning in which
critical activities are identified, a
business impact analysis is conducted,
and plans are developed, implemented,
and tested. Adoption of the sound
practices will help protect the financial
system from the risks of a wide-scale
disruption and reduce the potential that
key market participants will present
systemic risk to one or more critical
markets because primary and back-up
processing facilities and staffs are
located within the same geographic
region.
1. Identify clearing and settlement
activities in support of critical financial
markets. An organization should
identify all clearing and settlement
activities in each critical financial
market in which it is a core clearing and
settlement organization or plays a
5 Transactions in government securities include
the purchase and sale of U.S. government bills,
notes, bonds and agency securities (including
mortgage-backed securities issued by Government
Sponsored Enterprises), as well as repurchase and
reverse repurchase agreements and triparty
repurchase agreements involving U.S. government
and agency securities.
6 The goal of business recovery plans is the
recovery of a particular activity or function and not
the recovery of a disabled facility or system.

VerDate Jan<31>2003

14:26 Apr 10, 2003

Jkt 200001

significant role. This assessment should
include identification of activities or
systems that support or are integrally
related to the performance of clearing
and settlement activities in those
markets.
2. Determine appropriate recovery
and resumption objectives for clearing
and settlement activities in support of
critical markets. For purposes of the
sound practices, a recovery-time
objective is the amount of time in which
a firm aims to recover clearing and
settlement activities after a wide-scale
disruption with the overall goal of
completing material pending
transactions on the scheduled
settlement date. Recovery-time
objectives for clearing and settlement
activities should be relatively consistent
across critical financial markets. This
promotes the compatibility of recovery
plans and helps ensure that core
clearing and settlement organizations
and firms that play significant roles in
critical financial markets will be able to
participate in the financial system in
times of wide-scale disruptions.
Recovery-time objectives provide
concrete goals to plan for and test
against. They should not be regarded as
hard and fast deadlines that must be met
in every emergency situation. Indeed,
the agencies recognize that various
external factors surrounding a
disruption such as time of day, scope of
disruption, and status of critical
infrastructure—particularly
telecommunications—can affect actual
recovery times.7 Furthermore, recovery
time objectives might not be achievable
following a late-day disruption without
an extension of normal business hours.
Market participants agree that core
clearing and settlement organizations
must meet more aggressive recoverytime objectives than firms that play
significant roles in critical financial
markets. This is because core clearing
and settlement organizations are
necessary to the completion of most
transactions in critical markets;
accordingly, they must recover and
resume their critical functions in order
for other market participants to process
pending transactions and complete
large-value payments. It also is
7 A number of firms have expressed concerns
about the resilience of telecommunications and
other critical infrastructure, and the current
limitations on an individual firm’s ability to obtain
verifiable redundancy of service from such carriers.
Firms that establish geographically dispersed
facilities can achieve additional diversity in their
telecommunications and other infrastructure
services, which will provide additional resilience in
ensuring recovery of critical operations. A number
of financial firms are sponsoring industry-wide
efforts to explore common infrastructure issues and
approaches.

PO 00000

Frm 00044

Fmt 4703

Sfmt 4703

reasonable to assume that there will be
firms that play significant roles and
other market participants in locations
not affected by a particular disruption
that will need to clear and settle
pending transactions in critical markets.
Therefore, core clearing and settlement
organizations should plan both to
recover and resume their processing and
other activities that support critical
markets. In light of the large volume and
value of transactions/payments that are
cleared and settled on a daily basis,
failure to complete the clearing and
settlement of pending transactions
within the business day could create
systemic liquidity dislocations, as well
as exacerbate credit and market risk for
critical markets. Therefore, core clearing
and settlement organizations should
develop the capacity to recover and
resume clearing and settlement
activities within the business day on
which the disruption occurs with the
overall goal of achieving recovery and
resumption within two hours after an
event.8 Core clearing and settlement
organizations also should develop plans
for communicating with participants
during a disruption to facilitate their
rapid recovery.
The ability of firms that play
significant roles in critical financial
markets to recover clearing and
settlement activities depends on the
timing of the recovery of core clearing
and settlement organizations for those
markets. For planning purposes, firms
should assume that core clearing and
settlement organizations will recover
and resume clearance and settlement
activities within the business day of the
disruption. Accordingly, firms that play
significant roles in critical financial
markets should plan to recover clearing
and settlement activities for those
markets as soon as possible after the
core clearing and settlement
organizations have recovered and
resumed their operations and within the
business day on which a disruption
occurs. In some markets, such as
wholesale payments, the banking
industry has had long-established
recovery benchmarks of four hours and
the largest participants in the wholesale
payments market have actively
discussed the need for a two-hour
recovery standard by such
8 This includes recovery of clearance and
settlement activities that would normally be
performed by core clearing and settlement
organizations and significant firms within a
particular market’s business hours on the day of the
disruption. These activities include inputting
material transaction data or payment instructions,
and performing all steps necessary to clear and
complete material transactions on their regular
value or settlement dates.

E:\FR\FM\11APN1.SGM

11APN1

Federal Register / Vol. 68, No. 70 / Friday, April 11, 2003 / Notices
organizations. Firms that play
significant roles in the other critical
financial markets should strive to
achieve a four-hour recovery time
capability for clearing and settlement
activities in order to ensure that they
will be able to meet a within the
business day recovery target.9
3. Maintain sufficient geographically
dispersed resources to meet recovery
and resumption objectives. Recovery of
clearing and settlement activities within
target times during a wide-scale
disruption generally requires an
appropriate level of geographic diversity
between primary and back-up sites for
back-office operations and data centers.
The agencies do not believe it is
necessary or appropriate to prescribe
specific mileage requirements for
geographically dispersed back-up sites.
It is important for firms to retain
flexibility in considering various
approaches to establishing back-up
arrangements that could be effective
given a firm’s particular risk profile.
However, long-standing principles of
business continuity planning suggest
that back-up arrangements should be as
far away from the primary site as
necessary to avoid being subject to the
same set of risks as the primary location.
Back-up sites should not rely on the
same infrastructure components (e.g.,
transportation, telecommunications,
water supply, and electric power) used
by the primary site. Moreover, the
operation of such sites should not be
impaired by a wide-scale evacuation at
or the inaccessibility of staff that service
the primary site. The effectiveness of
back-up arrangements in recovering
from a wide-scale disruption should be
confirmed through testing.
Core clearing and settlement
organizations have the highest
responsibility to develop resources that
permit the recovery and resumption of
clearing and settlement activities within
the business day. Accordingly, these
organizations should establish back-up
facilities a significant distance away
from their primary sites. Core clearing
and settlement organizations that use
synchronous back-up facilities or whose
back-up sites depend primarily on the
same labor pool as the primary site
should address the risk that a wide-scale
disruption could impact either or both
of the sites and their labor pool. Such
9 As markets and clearance and settlement
systems move toward longer operating hours, there
may be less flexibility to extend processing hours.
This underscores the importance of achieving
recovery time objectives within the business day’s
normal processing periods to the fullest extent
possible. It also underscores the importance of
ensuring that internal processes can be performed
in the event that business hours are extended
beyond midnight.

VerDate Jan<31>2003

14:26 Apr 10, 2003

Jkt 200001

organizations should establish even
more distant back-up arrangements that
can recover and resume critical
operations within the business day on
which the disruption occurs.
Firms that play significant roles in
critical financial markets should
maintain sufficient geographically
dispersed resources, including staff,
equipment and data to recover clearing
and settlement activities within the
business day on which a disruption
occurs. Firms may consider the costs
and benefits of a variety of approaches
that ensure rapid recovery from a widescale disruption.10 However, if a backup site relies largely on staff from the
primary site, it is critical for the firm to
determine how staffing needs at the
back-up site would be met if a
disruption results in loss or
inaccessibility of staff at the primary
site. Moreover, firms that use
synchronous back-up facilities or whose
back-up sites depend primarily on the
same labor pool as the primary site
should address the risk that a wide-scale
disruption could impact either or both
of the sites and their labor pools. As part
of their ongoing planning process, firms
with such back-up arrangements should
strive to develop even more distant data
back-up and operational resources that
prove sufficient to recover clearing and
settlement activities within the business
day on which the disruption occurs.
The business continuity planning
process should take into consideration
improvements in technology and
business processes supporting back-up
arrangements and the need to ensure
greater resilience in the event of a widescale disruption. Interim steps a firm
may take should be compatible with the
objective of establishing even more
distant back-up arrangements. The
agencies expect that, as technology and
business processes supporting back-up
arrangements continue to improve and
become increasingly cost effective, firms
will take advantage of these
10 Examples of such arrangements range from
maintaining a fully operational geographically
dispersed back-up facility for data and operations
to utilizing outsourced facilities in which
equipment, software, and data are stored for staff to
activate. Firms are addressing critical staffing issues
in various ways, such as cross training, utilizing
staff at underused systems to share or shift loads,
rotating employees off-site, and establishing work
shifts. A number of firms use outsourced back-up
solutions for recovering clearing and settlement
activities and data storage. However, numerous
commenters expressed concern about the small
number of recovery facilities, their lack of
geographic diversity and the cost of ensuring
availability of facilities during a wide-scale
disruption. Firms that use outsourced back-up
solutions should take into consideration any
heightened risks that could affect access to those
facilities during a wide-scale disruption.

PO 00000

Frm 00045

Fmt 4703

Sfmt 4703

17813

developments to increase the geographic
diversification of their back-up sites.
4. Routinely use or test recovery and
resumption arrangements. One of the
lessons learned from September 11 is
that testing of business recovery
arrangements should be expanded. It is
critical for firms to test back-up facilities
with the primary and back-up facilities
of markets, core clearing and settlement
organizations, and third-party service
providers to ensure connectivity,
capacity, and the integrity of data
transmission. It also is important to test
back-up arrangements with major
counterparties and customers, as
appropriate. Such testing ensures that
recovery objectives are achievable and
that staff and necessary external parties
are sufficiently informed.
Core clearing and settlement
organizations should periodically test
recovery and resumption plans at all of
their back-up sites. Test scenarios
should include wide-scale disruptions
that affect the accessibility of key staff;
demonstrate the ability to recover and
resume within the business day; and
aim for a two-hour recovery time. Core
clearing and settlement organizations
should require participants to test
connectivity between their primary and
back-up sites and those of the core
clearing and settlement organizations.
They also may wish to consider
organizing a broader industry stress test
to ensure that recovery systems are
consistently robust across critical
market participants.
Firms that play significant roles in
critical financial markets should
routinely use or test their individual
internal recovery and resumption
arrangements for connectivity,
functionality, and volume capacity.
Firms that establish back-up sites within
the current perimeter of synchronous
back-up technology or that rely
primarily on staff at the primary site
should confirm that their plans would
be effective if a wide-scale disaster
affects both sites. Firms also are
encouraged to take advantage of testing
opportunities offered by markets, core
clearing and settlement organizations
and third-party service providers to
ensure connectivity, capacity and the
integrity of data transmission. Firms are
encouraged to continue to work
cooperatively with their core clearing
and settlement organizations and trade
associations to design and schedule
appropriate industry tests to ensure the
compatibility of individual recovery and
resumption strategies across critical
markets.

E:\FR\FM\11APN1.SGM

11APN1

17814

Federal Register / Vol. 68, No. 70 / Friday, April 11, 2003 / Notices

Implementation of Sound Practices
Cost-Benefit Considerations. The
agencies recognize the importance of
cost-effective business continuity
planning. The costs associated with
implementing the sound practices can
vary substantially depending on the
extent to which incremental
improvements may be needed to
address the risks of a wide-scale
disruption. Some firms that play
significant roles in critical markets may
find that they need to implement only
relatively minor improvements to their
back-up arrangements. Other firms may
find it necessary to adopt a more robust
technology or upgrade software
applications in order to achieve
recovery objectives identified by the
sound practices. To mitigate the costs of
these enhancements, firms may wish to
integrate them into the strategic
planning process (e.g., coordinate with
planned enhancements to facilities,
information system components and
architecture, and business processes).
Firms should recognize that adoption
of the sound practices will help to
reassure their counterparties and
customers that they can rapidly regain
their ability to clear and settle
transactions in critical markets.
Similarly, firms participating in the
financial system would enjoy greater
assurance that critical market
participants will be able to withstand a
wide-scale disruption and meet their
payment and settlement obligations,
thereby minimizing the potential for
cascading fails and resulting systemic
risk. Firms report that market forces
clearly recognize the interdependent
nature of the financial system, and
customers and counterparties
increasingly expect firms to demonstrate
their ability to continue operations
should a wide-scale disruption occur.
Implementation by core clearing and
settlement organizations. Core clearing
and settlement organizations should
continue their accelerated efforts to
develop, approve, and implement plans
that substantially achieve the sound
practices by the end of 2004. Plans
should provide for back-up facilities
that are well outside of the current
synchronous range that can meet
within-the-business-day recovery
targets. On a case-by-case basis, core
clearing and settlement organizations
can be given additional time to
complete implementation of back-up
facilities that are well outside the
current synchronous range, so long as
they take concrete, near-term steps that
result in substantially improved
resilience by the end of 2004. The
amount of flexibility will be measured

VerDate Jan<31>2003

14:26 Apr 10, 2003

Jkt 200001

against factors such as board of directors
and senior management’s commitment
to approved budgets, and adherence to
aggressive timetables and interim
milestones. Plans should include
measurable milestones to assess
progress in achieving the sound
practices.
Implementation by firms that play
significant roles in critical markets.
Firms that play significant roles in
critical financial markets should
develop, approve and implement plans
that call for substantial achievement of
the sound practices as soon as
practicable, but generally within three
years of publication of this paper.11 In
some cases, a firm may find it in
necessary to provide for a longer
implementation period in light of its
respective risk profile, level of
resilience, and unique business
circumstances. All plans should
incorporate interim milestones against
which progress can be measured and
should provide for ongoing
consideration of the costs and benefits
of achieving greater geographic
diversification of back-up facilities.
Role of Senior Management and
Boards of Directors. The agencies
believe, and industry participants
confirm, that incorporation of the postSeptember 11 business continuity
objectives and sound practices
discussed in this paper raises numerous
short- and long-term strategic issues that
require continuing leadership and
involvement by the most senior levels of
management. These issues must be
considered in light of a firm’s
dependencies on other market
participants and the need to achieve a
consistent level of resilience across
firms. Boards of directors should review
business continuity strategies to ensure
that plans are consistent with the firm’s
overall business objectives, risk
management strategies, and financial
resources. Decisions about overall
business continuity objectives should
not be left to the discretion of individual
business units.
Conclusion
After September 11, financial industry
participants initiated a significant
review of lessons learned with a view
towards strengthening their business
continuity plans. The agencies believe
that it is important for financial firms to
improve recovery capabilities to address
11 The agencies will contact each firm that
appears to meet the market share thresholds and,
if they conclude that the firm plays a significant
role in one or more critical markets, will review the
firm’s plans for implementing the sound practices.
The agencies also will monitor implementation of
those plans.

PO 00000

Frm 00046

Fmt 4703

Sfmt 4703

the continuing, serious risks to the U.S.
financial system posed by the postSeptember 11 environment. Financial
industry participants have demonstrated
a keen commitment to ensuring the
continued viability of the U.S. financial
system by strengthening their own
business continuity plans to address the
risk of a wide-scale disruption. Over the
past year, significant short- and longerterm improvements have been made to
business recovery plans. Financial
industry participants recognize the
importance of continuing senior
management involvement in achieving
the sound practices discussed in this
paper. Firms also are participating in
industry initiatives aimed at improving
private-sector coordination and
ensuring that business recovery plans
are compatible and that an appropriate
level of robustness is achieved among
peers.
The agencies recognize that
achievement of the sound practices
could be a multi-year endeavor for some
organizations and that it is not
necessary or appropriate to prescribe
any specific technology solution for
implementing the sound practices. The
agencies urge all financial system
participants to continue efforts over the
long term to ensure that critical U.S.
financial markets have appropriately
robust recovery capabilities and can
respond to a wide-scale disruption by
adopting the sound practices to the
fullest extent practicable. Finally, the
agencies encourage financial firms that
are not deemed to be a core clearing and
settlement organization or a firm that
plays a significant role in critical
markets to review and consider
implementation of the sound practices,
particularly if a firm’s transactions
levels approach those deemed to be
significant.
By order of the Board of Governors of the
Federal Reserve System, April 7, 2003.
Jennifer J. Johnson,
Secretary of the Board.
Dated: April 7, 2003.
John D. Hawke, Jr.,
Comptroller of the Currency.
By the Securities and Exchange
Commission.
Dated: April 7, 2003.
Margaret H. McFarland,
Deputy Secretary.
[FR Doc. 03–8896 Filed 4–10–03; 8:45 am]
BILLING CODE 6210–01–P; 4810–33–P; 8010–01–P

E:\FR\FM\11APN1.SGM

11APN1


Federal Reserve Bank of St. Louis, One Federal Reserve Bank Plaza, St. Louis, MO 63102