Business Continuity Planning: Lessons from a Communications Exercise



Similar documents
Business Continuity Planning (800)

Chairwoman Sue W. Kelly House Financial Services Subcommittee on Oversight and Investigations U.S. House of Representatives

Regulatory Notice 13-25

ISDA International Swaps and Derivatives Association, Inc.

Intraday Liquidity Flows

FOREIGN EXCHANGE SETTLEMENT RISK

BUSINESS CONTINUITY TABLETOP EXERCISE (TTEX) GUIDE

Internal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation

The October 31, 2008 Summary of Commitments included the following:

1801 MARKET STREET, SUITE 300 PHILADELPHIA, PA FAX April 23, 2012

How To Understand The Interdependencies Of Payment And Settlement Systems In Hong Kong

Sunrise Brokers voted overall number one equity products broker of the year by Risk for the sixth consecutive year REPRINTED FROM

Policy guidance on the Bank of Canada s risk-management standards for designated financial market infrastructures

A Review of 2000 by The London Foreign Exchange Joint Standing Committee

Systemic Importance Indicators for 33 U.S. Bank Holding Companies: An Overview of Recent Data

Cyber Europe Key Findings and Recommendations

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Testimony of. Edward L. Yingling. On Behalf of the AMERICAN BANKERS ASSOCIATION. Before the. Subcommittee on Oversight and Investigations.

Our journey to a single global brand. Dr. Manfred Stuettgen, Global Head of Branding Lugano, March 11, 2011

Credit Suisse Asset Management Limited UK Order Execution Policy December 2013

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP


Operational risk capital: Nowhere to hide

Business continuity management policy

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Business Continuity Business Continuity Management Policy

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

Business Continuity Planning at the Bank of Japan

MEDIA RELEASE. IOSCO reports on business continuity plans for trading venues and intermediaries

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

: Chief Executive Officers of all Licensed Commercial Banks, Primary Dealers, Central Depository Systems (Pvt) Ltd. and LankaClear (Pvt.) Ltd.

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

LFRS Business Continuity Planning

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

BEST INTEREST POLICY

Ohio Supercomputer Center

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

11 Common Disaster Planning Mistakes

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Keynote Speech. Beth Dugan Deputy Comptroller for Operational Risk. The Clearing House s First Operational Risk Colloquium

Japan Investment Working Group ISITC Japan General Meeting June 1 st, GSTPA Japan

Market Intermediary Business Continuity and Recovery Planning. Consultation Report

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

IT Disaster Recovery Plan Template

Wolfsberg Anti-Money Laundering Principles for Correspondent Banking

Business Continuity Management

Business Continuity and Disaster Recovery Policy

TOCOM s Approach to the Business Continuity Plan (BCP)

Synthetic Financing by Prime Brokers

Audit of the Disaster Recovery Plan

BUSINESS CONTINUITY PLANNING

CAPITAL SHORTFALL: A NEW APPROACH TO RANKING and REGULATING SYSTEMIC RISKS Viral Acharya, Robert Engle and Matthew Richardson 1

Offsite Disaster Recovery Plan

A Business Continuity Plan for Government. George Bomar Dianne Casey Texas Department of Licensing and Regulation

BUSINESS CONTINUITY POLICY

Statement of Guidance

Business Continuity Management Review

Information Paper. Pandemic Planning October Australian Prudential Regulation Authority

The Importance of Brand in the Asset Management Industry. Presentation prepared for Financial Services Forum. London, 25 th June 2015.

PACIFIC PRIVATE BANK LIMITED S BEST EXECUTION POLICY (ONLINE TRADING)

Waking Shark II Desktop Cyber Exercise

O C T O B E R

LIBOR EXPLAINED. Understanding the LIBOR Scandal

The Foreign Exchange and Interest Rate Derivatives Markets: Turnover in the United States, April Federal Reserve Bank of New York

London Borough of Bromley. Executive & Resources PDS Committee. Disaster Recovery Plans for London Borough of Bromley

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

BOARD OF GOVERNORS FEDERAL RESERVE SYSTEM

Hospital Authority. Enhanced Contingency Planning for IT System Failures

European Commission proposed regulation on OTC derivatives, central counterparties and trade repositories

Your Guide to Getting Started

Transferencias para recibir en dólares

Transmission Function Employees Job Titles and Descriptions 18 C.F.R 358.7(f)(1)

Pandemic Planning. Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA

Disaster Recovery and Business Continuity Plan

Enhancing the resilience of the Bank of England s Real-Time Gross Settlement infrastructure

Global Alliance for Banking on Values. Real Banking for the Real Economy: Comparing Sustainable Bank Performance with the Largest Banks in the World

December 13, Submitted via to

Interagency Statement on Pandemic Planning

Risk Management & Business Continuity Manual

Professional Development Needs Assessment for Teachers

Transcription:

PAYMENTS RISK COMMITTEE Business Continuity Planning: Lessons from a Communications Exercise July 9, 2013 The Payments Risk Committee (PRC) is a private sector group of senior managers from U.S. banks that is sponsored by the Federal Reserve Bank of New York. The Committee identifies and analyzes issues of broad industry interest related to risk in payments and settlement systems. It also seeks to foster broader industry awareness and discussion, and to develop input on public and private sector initiatives. The current members of the Committee are Bank of America, The Bank of New York Mellon, Bank of Tokyo Mitsubishi UFJ, Citibank, Deutsche Bank, Goldman Sachs, HSBC Bank USA, JP Morgan Chase, Morgan Stanley, State Street Bank and Trust Company, UBS, and Wells Fargo.

FOREWARD Today banking is more globally and systemically integrated than ever before. It is very difficult to find a business that is fully self-contained, as evidenced by the 2008 financial crisis. While technology has enabled more efficient access to liquidity, it has also magnified the impacts of systemic disruptions. Global financial institutions are interconnected through the millions of transactions sent by each firm and cleared and settled through the multiple financial market utilities around the world. While firms individually conduct their own business continuity and resilience exercises, exercises that reach across multiple industry participants create different learning and relationship-building opportunities. The more that financial institutions understand their abilities to respond under stressful circumstances, the more the industry participants will be prepared to respond to actual events. The Payments Risk Committee (PRC) is pleased to present the lessons learned by its members during a business continuity exercise held in October 2012. These lessons proved useful just a few weeks later, when the metropolitan New York area had to confront the extreme weather condition now known as Superstorm Sandy. We trust that these lessons will be of use to other firms. The PRC would like to acknowledge the Business Continuity Planning (BCP) Working Group members for their efforts in planning the BCP exercise. The planning involved cooperation between numerous volunteers from PRC member firms and staff from the Federal Reserve Bank of New York, over the course of many months. The PRC also acknowledges The Clearing House and the Financial Services Information Sharing and Analysis Center for their contributions and assistance in developing and facilitating the exercise. Paul Galant Chairman, Payments Risk Committee Chief Executive Officer, Global Enterprise Payments Citibank, N.A. Bill Pappas PRC Sponsor, BCP Working Group Chief Information Officer, Global Technology & Operations Bank of America 1 P age

EXECUTIVE SUMMARY INTRODUCTION As part of the Payments Risk Committee s (PRC) continuing objective to strengthen the clearing and settlement of financial transactions and support risk-reducing practices, the Committee organized a business continuity planning (BCP) simulation exercise for its members that focused on identifying the various types of communications that could be necessary in the event of a significant disruption to payments, clearing, and settlement (PCS) activities in the U.S. Financial institutions (FIs) routinely conduct BCP exercises to support continuing business needs. The PRC exercise focused on ensuring effective communications protocols in the event of a market-wide disruption related to PCS activities. The exercise examined communications: within participating FIs across appropriate parts of an organization and, as needed, escalated to senior management, across firms to other FIs, and with financial market utilities (FMUs) and regulators. The scenario was designed to trigger discussion of issues associated with communications with clients, regulators, and the media regarding payments and settlement services. The scenario involved a software data corruption, originating from an external service provider, affecting wholesale payments. The simulated corruption resulted in firms reporting apparent discrepancies in the expected funds received from originating financial institutions. The simulated problem was assumed to have affected payment activities at all PRC member firms. The exercise followed a distributed-tabletop simulation approach, in which facilitators at each firm were responsible for execution of the hypothetical scenario within their firms. The exercise was conducted over several days in October 2012. The enclosed report summarizes the primary findings that may be of use to the public and other interested firms to promote emergency preparedness. The conclusions and recommendations of this report do not necessarily represent the policies or views of the participating institutions, the Federal Reserve Bank of New York, or the Federal Reserve System. 2 P age

OVERALL FINDINGS The 2012 BCP exercise proved to be a learning opportunity for all participating organizations. The simulation was designed to require engagement across multiple areas within each participating member firm, specifically, operations, legal, compliance, risk management, business management, and clientfacing and customer service personnel. Key findings from the exercise include: Management, communication structures, and central coordinators are in place at all participating firms to address a PCS-disruption. The contact points, levels of escalation, and associated practices differed among firms. Participants rely on communication from affected FMUs during a disruption. Effective communication facilitates participants understanding of the root cause of a PCS disruption, providing information useful in considering their own actions and communications. Communication through multiple channels (e.g., email, phone, Internet, etc.) was viewed as beneficial, as were arrangements that permitted two-way communications (that is, discussion or other type of questions and responses). Common industry messages could be beneficial, for example, when addressing shared issues. Having a convening and coordinating body as a venue for discussion in an emergency situation is considered helpful. Opportunities for senior executives to discuss cross-industry PCS risk concerns add value and may help clarify issues and risks to the broader industry, market and clients. Communication from FMUs to affected customers should occur through multiple channels (e.g., email, Internet website posts, and telephone calls) and allow two-way engagement. Firms should continue to ensure that they maintain a broad and up-to-date roster of representative contact information and communication protocols with critical FMUs to facilitate appropriate communication during an event that may affect PCS activity. Note that many PCS systems operate around the clock, so contact arrangements should have an off hours component. 3 P age

SUPPLEMENTARY LESSONS FROM SUPERSTORM SANDY After the completion of the BCP simulation exercise, PRC member banks business continuity plans were tested when Superstorm Sandy struck the New York metropolitan area on Monday, October 29 th, with sustained wind speeds reaching 90 mph and storm surges up to 11 feet above high tide levels. As part of their own post-event procedures, PRC member firms compiled lessons from their experiences. The summary below is based on selections from those lessons that pertain to the effectiveness of contingency planning for PCS activity during and after Superstorm Sandy. LESSONS LEARNED Overall, member firms reported that existing contingency plans enabled businesses to operate through the storm and aftermath with minimal disruption to PCS activities. Some member firms reported experiencing brief interruptions to the availability of their internal systems for a small number of applications. Firms also reported that, given backup procedures that were implemented, the interruptions did not have significant adverse effects on PCS activities. While these lessons reinforce the importance of effective communication protocols within FIs as well as between FIs and external service providers, they are not limited to this topic. Specific feedback from PRC firms: Reduce reliance on paper files. Increase capacity of staff to work remotely or from virtual desktops. Assess critical buildings for physical infrastructure weakness. Develop multiple channels for both internal and external communications as part of business continuity plans. Continuously engage FMUs and service providers to understand their business continuity plans ahead of time. Provide staff contingency contacts lists and sites sufficient to accommodate the influx of calls to back up facilities. Consider centralized and bilateral communication mechanisms to push information and updates to clients, enabling efficient means for clients to track provider statuses 4 P age

APPENDIX A: PARTICIPATING FIRMS Bank of America Bank of New York Mellon Bank of Tokyo Mitsubishi Citibank Deutsche Bank FS-ISAC Goldman Sachs HSBC JP Morgan Chase Morgan Stanley SIFMA State Street The Clearing House UBS Wells Fargo Federal Reserve Bank of New York Board of Governors of the Federal Reserve System 5 P age

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information