Financial Industry Standards, Regulations, Guidelines

International

BASEL III: Revised International Capital Framework (2010) – aimed at the international banking community, the BASEL III framework creates a standard to guard against industry-specific financial and operational risks.

Basel Committee on Banking Supervision, High-Level Principles for Business Continuity (2006) [PDF] – a set of high-level principles on business continuity meant to contribute beneficially to the resilience of the global financial system.

Australia

Prudential Standard APS 222 (2009) [PDF] – a regulation for associations with related entities, including BCM requirements.

APS 232 (2005) [PDF] – a business continuity regulatory requirement from the Australian Prudential Regulation Authority (APRA) for all authorized deposit-taking institutions (ADIs).

Bahamas

PU19-0406 Supervisory and Regulatory Guidelines: Business Continuity Guidelines (2007) [PDF] – issued by the Central Bank of the Bahamas, the guidelines apply to all commercial banks (domestic or foreign) operating in all territories of the Bahamas. They are based upon the Basel Committee's Joint Forum “High Level Principles”.

Canada

IDA By-Law 17.19 [PDF] – a bylaw approved by the Onario Securities Commission, which requires IDA members to have a Business Continuity Plan.

China

Management, Supervision and Internal Control Guidelines (2003) – published by the Hong Kong Securities and Exchange Commission, the Guidelines relate to the practices and standards with which intermediaries and their representatives are ordinarily expected to comply in carrying on the regulated activities for which they are licensed or registered.

Supervisory Policy Manual TM-E-1, Supervision of E-Banking [PDF] – sets out the Hong Kong Monetary Authority's approach to the supervision of AIs' electronic banking services and to provide Authorized Institutions with guidance on general principles for risk management of electronic banking.

Supervisory Policy Manual TM-G-1 [PDF] – the Hong Kong Monetary Authority's guidance on general principles which Authorized Institutions are expected to consider in managing technology-related risks.

Supervisory Policy Manual TM-G-2 [PDF] – the Hong Kong Monetary Authority's guide to satisfying the requirements of the Banking ordinance and recommendations on best practices.

Indonesia

Regulation no. 6/8/PBI/2004 [PDF] – concerns the implementation of the Bank Indonesia Real Time Gross Settlement System.

Regulation no. 9/15/PBI/2007 – a guideline for risk management in the use of IT which must be followed by banks to mitigate the risks involved in the use of IT.

Japan

Business Continuity Planning at Financial Institutions (2003) – mandatory for Japanese financial firms, the Bank of Japan's guidelines provide a framework for identifying and maintaining a risk profile with the aim of enhancing response and business continuity in the event of a major business disruption.

Manual for the Development of Contingency Plans in Financial Institutions (2001) [PDF] – available for purchase through the the Center for Financial Industry Information Systems, includes simple examples and practical descriptions of the concrete developments in contingency planning.

Malaysia

Guidelines on Business Continuity Management [PDF] – published by the Central Bank of Malaysia, the Guidelines outline and enforce minimum BCM requirements on the institution.

Philippines

Circular 268 – Philippines Central Bank regulation implementing rules and regulations of Sec. 55.1 (e) of the General Banking Law 2000.

Circular 269 – Philippines Central Bank regulation concerning electronic banking activities.

Circular 542 – Philippines Central Bank regulation relating to consumer protection for electronic banking.

Singapore

Business Continuity Management Guidelines (2003) [PDF] – the guidelines are sound BCM principles and serve as standards that institutions are encouraged to adopt.

SS 540 – Singapore Standard that establishes the framework for organizations to analyse and implement strategies, processes and procedures.

Guidelines on Outsourcing (2004) [PDF] – the Guidelines set out MAS' expectations of an institution that has entered into outsourcing or is planning to outsource its business activities to a service provider.

Switzerland

Recommendations for Business Continuity Management (BCM) (2007) [PDF] – non-biding recommendations, except for requirements for completing a Business Impact Analysis, and provides a binding minimum standard for the definition of a Business Continuity Strategy.

Swiss Federal Banking Commission Circular 06/6 [PDF] – sets guidelines for corporate governance, the supervision of business activities and internal control, and the supervision thereof by the responsible function in banks and other financial institutions.

United Kingdom

FSA CP142: Operational Risk Systems and Controls (2002) – seeks to uphold market confidence and consumer protection by addressing financial firms and their preparedness for a major business disruption.

United States

FFIEC: Business Continuity Planning Booklet (2008) [PDF] – helps organizations identify business continuity risks and evaluate controls and risk mitigation strategies. The booklet also includes a pandemic planning framework.

GLBA: Gramm-Leach-Bliley Act (1999) – also known as the Financial Services Modernization Act of 1999, the GLBA deals with the protection of consumers' financial information against destruction, loss or damage due to potential environmental hazards.

Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (2003) – identifies new business continuity objectives and sound practices to ensure the resilience of the U.S. financial system

NFA 2-38 (2003) – requires members of the National Futures Association (NFA) to have business continuity and disaster recovery plans and to provide the NFA with contact information to be used during an incident.

NYSE Rule 446 / NASD 3510/3520 (2002) – requires organizations to develop, maintain, review and update business continuity plans to be enacted in the event of a significant business disruption.

Sarbanes-Oxley Act (SOX) (2002) [PDF] – this bill was enacted as a reaction to a number of major corporate and accounting scandals and contains 11 titles that describe specific mandates and requirements for financial reporting.

SEC 17 CFR 240 (2005) – this SEC standard details requirements regarding financial transaction histories, specifically as they relate to electronic securities transactions.

The Electronic Funds Transfer Act – provides a basic framework establishing the rights, liabilities, and responsibilities of participants in electronic fund transfer systems and provides individual consumer rights.

The Fair Credit Reporting Act [PDF] – requires that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.

The Federal Deposit Insurance Corporation Improvement Act of 1991 – mandated a least-cost resolution method and prompt resolution approach to problem and failing banks and ordered the creation of a risk-based deposit insurance assessment scheme; restricts brokered deposits, solicitation of deposits, and the non-bank activities of insured state banks; and created new supervisory and regulatory examination standards and put forth new capital requirements for banks.

Financial Institutions Reform, Recovery and Enforcement Act (FIRREA) of 1989 – meant to reform, recapitalize, and consolidate the Federal deposit insurance system and to enhance the regulatory and enforcement powers of Federal financial institutions regulatory agencies.

The Federal Information Security Management Act of 2002 [PDF] – the Act's purposes include provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; to recognize the highly networked nature of the current Federal computing environment and provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; and provide for development and maintenance of minimum controls required to protect Federal information and information systems.

Foreign Corrupt Practices Act – sets out prohibited foreign trade practices by securities issuers.

Securities and Exchange Act §32(a) and (b) [PDF] – sets out penalties for failure to exercise duty of care in protecting computerized information.

Protected Critical Infrastructure Information, 6 CFR 29 (2006) – establishes uniform procedures for the receipt, care, and storage of Critical Infrastructure Information voluntarily submitted to the Department of Homeland Security (DHS).

Federal Reserve Banks SR 96-22 (1996) – addresses risk and control issues associated with client/server systems when assessing the risks inherent in complex bank information systems.

Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (2003) – the paper identifies three new business continuity objectives that have special importance in the post-September 11 risk environment for all financial firms.

National Futures Association Compliance Rule 2-38 (2003) – requires each member to establish and maintain a written business continuity and disaster recovery plan.

OCC Bulletin 2001-47 – provides guidance to national banks on managing the risks that may arise from their business relationships with third parties.

Information Technology Risk Management Program (IT-RMP): New Information Technology Examination Procedures (2005) – the FDIC's updated risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions.

Homeland Security Strategy for Critical Infrastructure Protection in the Financial Services Sector (2004) [PDF] – identifies efforts in the financial services sector to achieve objectives consistent with the overall objectives of the National Strategies.

Supervision of Technology Service Providers Booklet – one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook, and primarily governs the supervision of technology service providers.

FFIEC Business Continuity Planning Booklet – one in a series of booklets that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook, providing guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services.