Business Continuity Plan Checklist

Inventory the functions whose disruption directly affects clients or regulators — trade execution at the custodian, fee billing, ACATS in-flight transfers, RMD processing, AML transaction monitoring, and books-and-records access under Rule 17a-4. Exclude back-office work that can absorb a multi-day outage without client impact.

Walk each critical function through plausible disruption scenarios — custodian outage, ransomware, regional ISP failure, key-person absence, severe weather. Set a Recovery Time Objective and Recovery Point Objective per function; FINRA Rule 4370 expects these documented.

Tie downtime to dollars — fee revenue lost, trade slippage during a market-open outage, client attrition risk, and regulatory exposure under Reg BI for missed fiduciary obligations. Capture the per-function exposure narrative in the BIA workbook.

Map dependencies on the custodian (Schwab, Fidelity, Pershing, Altruist), portfolio management system (Black Diamond, Orion, Tamarac), CRM (Salesforce, Wealthbox, Redtail), archiving vendor (Smarsh, Global Relay), and core banking platform if applicable. A vendor concentration with no failover path is a finding waiting to happen.

Produce the BIA prioritization document — Tier 1 functions recover first, Tier 2 within the day, Tier 3 within a week. CCO signs off and the artifact attaches here for the Rule 206(4)-7 compliance file.

For each Tier 1 function, name the recovery method — failover to alternate custodian portal, manual trade tickets, paper-based fee billing fallback, secondary AML review process. Vague language like "use alternate procedures" fails examiner scrutiny.

Specify primary site, alternate site, and remote-work fallback. Confirm staff have laptops, MFA tokens, and secure VPN access. For BD branches under Rule 4370, the plan must address how customers continue to access funds and securities during a disruption.

Name people, not titles. CCO owns regulatory notifications, COO owns operations failover, IT lead owns systems recovery, designated principal owns supervision continuity. Document a backup for every primary role — single-person dependencies are the most common BCP gap.

Pull contacts for advisors, staff, custodian relationship managers, clearing firm operations desks, key vendors, regulators (SEC regional office, FINRA district, state securities), and outside counsel. Refresh quarterly — staff churn breaks the call tree faster than anything else.

Pre-draft scripts for short-duration custodian outage, ransomware, and multi-day site loss. Include the disclosure language required by the amended Reg S-P safeguards rule when client data exposure is suspected. CCO pre-approval avoids ad-hoc messaging that creates regulatory exposure.

Annual training on BCP roles, alternate site procedures, and the call tree. Document attendance for the FINRA / SEC exam file. New advisors and client service associates get this in onboarding, not just at the annual cycle.

Request current BCP, SOC 2, or ISO 22301 attestations from the custodian, clearing firm, portfolio management vendor, archiving provider, and cloud-hosted CRM. Vendor failure is your failure under Rule 4370 vendor oversight expectations.

Run a half-day tabletop with the crisis management team. Use realistic scenarios — ransomware encrypting the file server, custodian extended outage on a market-open morning, BEC wire fraud during the disruption. Capture gaps surfaced for remediation.

Coordinate a live drill — connect from the alternate site, place test orders on the custodian sandbox where available, verify portfolio management connectivity, confirm email archiving continues to flow. An annual full-scale test is the FINRA expectation; tabletop alone is not sufficient.

For every gap surfaced in testing, open a tracked ticket with a named owner and due date. Close the loop within 90 days; recurring gaps year over year are an exam finding pattern.

Per SEC Rule 206(4)-7 and FINRA Rule 4370, the BCP requires at least annual review and review on any material change to operations, custodial relationships, or staffing. CCO sign-off is the supervisory artifact regulators ask to see.

Reflect any new IARs or registered reps, new branch locations, new custodian relationships, new core systems, or new outsourced services since last review. Stale BCPs reference vendors and people that no longer exist.

Walk the plan against the Rule 4370 ten elements (data backup, mission-critical systems, financial and operational assessment, alternate communications, alternate physical location, customer access to funds, regulatory reporting, regulator communications, BCP disclosure, and BCP review). For RIAs, map to the corresponding 206(4)-7 compliance program elements.

Update the asset inventory — hardware, software licenses, data feeds, and contracted SLAs with the custodian and clearing firm. Confirm that contractual recovery commitments still match the operational expectations documented in the BIA.

Maintain copies in at least two physically separated locations plus a cloud copy accessible from outside the office network. The plan in the office file cabinet is useless when the office is the disaster.

Name the team — typically Managing Principal, CCO, COO, IT lead, and a marketing or communications lead. Each role has a designated alternate. Distribute wallet cards or a secure mobile reference with the call tree so members can reach each other off the corporate network.

Stand up an out-of-band path — staff personal emails on file, a mass-notification service (Everbridge, OnSolve), and a client-facing status page hosted off the corporate network. The internal email server going down cannot also disable the response channel.

Pre-approve holding statements for short outage, extended outage, and security incident scenarios. Reg S-P incident notice has specific timing and content requirements; Form ADV Item 9 disclosures may also be implicated by the same event.

Per the amended Safeguards Rule, written notice is required to affected individuals within 30 days of determining a covered incident occurred, with specified content. Build the notification workflow now — drafting it during the incident loses the clock.

Document reportable events and timelines — Form U4/U5 amendments for affected reps, FINRA Rule 4530 disclosure events, SEC Form ADV updates, state notification triggers. The clock starts at detection, not at convenience.