FINRA has begun a targeted examination sweep of member firm compliance with Rule 4370, which requires registered firms to create and maintain a written Business Continuity Plan identifying procedures for responding to significant business disruptions. The sweep focuses on whether BCP documentation reflects current operational reality — an increasingly relevant question for firms whose actual operations have changed substantially since their last BCP review.

BCP deficiencies under Rule 4370 have been a recurring FINRA examination finding. The current sweep reflects heightened focus following several years of operational disruption — pandemic-era remote work transitions, technology system changes, and workforce restructuring — that have created gaps between BCPs written before 2020 and how firms actually operate today.

What Rule 4370 Requires

Rule 4370 requires each member firm to have a written BCP addressing specific categories of business disruption: how the firm will respond to a significant disruption of operations, how it will communicate with customers in the event of disruption, how it will maintain or promptly restore critical business functions, and how it will handle alternative locations if the primary facility is unavailable.

The rule requires that BCPs be reviewed annually. The annual review must assess whether the plan accurately reflects the firm's current operations — including its current technology systems, current staff structure, current customer communication channels, and current regulatory reporting obligations. A BCP written for an office-based firm that has transitioned to a hybrid work model may be technically annual-reviewed on paper but substantively outdated in content.

What Examiners Are Finding

FINRA examination staff conducting the Rule 4370 sweep are identifying several recurring deficiencies. BCPs that reference legacy technology systems that are no longer in use. BCPs that identify individuals by name in roles those individuals no longer hold. BCPs that describe communication protocols — phone trees, physical mail notification — that are not consistent with how the firm actually communicates with customers. BCPs that do not address remote work infrastructure, cloud-based systems, or third-party technology providers that are now central to the firm's operations.

The failure mode is not usually a failure to have a BCP. It is a failure to maintain a BCP that reflects current operational reality. A BCP that is accurate on the date it is written and then filed without meaningful updates for three years is not a compliant BCP regardless of when it was technically last reviewed.

Third-Party Technology and Vendor Dependencies

One area of specific focus in the current sweep is third-party technology vendor dependencies. Firms that rely on cloud-based order management systems, CRM platforms, or data storage providers need BCPs that address what happens when those vendors experience disruptions. The BCP should identify the firm's critical third-party dependencies, describe the firm's plan for operating if each dependency is unavailable, and include contact information for each vendor's emergency support channels.

The recent high-profile outages at major cloud providers and financial technology infrastructure companies have made this gap visible to FINRA examiners. A firm whose entire trading and compliance infrastructure depends on a single cloud provider needs a BCP that honestly addresses what a multi-hour outage of that provider would mean for operations and customer service.

This article is for informational purposes and does not constitute legal advice.