US regulators issue disaster recovery guidelines

Three US regulatory agencies - the US Federal Reserve, the Office of the Comptroller of the Currency and the Securities and...

Three US regulatory agencies - the US Federal Reserve, the Office of the Comptroller of the Currency and the Securities and Exchange Commission - have issued a white paper describing objectives for disaster recovery and business continuity plans that should be set in place. 

The agencies stated that they expected organisations that fall within the scope of the white paper to "adopt the sound practices within the specified implementation time frames".

The regulators focused on what they described as "core clearing and settlement organisations", or the largest brokerages, custodian banks and clearing firms, saying they should achieve most of their disaster recovery and sound business continuity practices by the end of 2004. 

In the event of a wide-scale disaster, the nation's financial system "rests on the rapid recovery and resumption of the clearing and settlement activities that support critical markets", the agencies said. 

The guidelines include the recommendation of recovering operations "within the business day on which a disruption occurs, with the overall goal of achieving recovery and resumption within two hours after an event".

"The paper's business continuity objectives, sound practices and timetables will clearly improve the resilience of the US financial markets," said Donald Kittell, executive vice president of the Securities Industry Association. 

The agencies' business continuity objectives included rapid recovery and timely resumption of critical operations following wide-scale disruptions or loss of staff in "at least one major operating location", and a high level of confidence through ongoing testing that plans are "effective and compatible".

Last August, an interagency white paper that was released on strengthening the resilience of the US financial system was soundly criticised by banks and brokerages for its suggestion that there be a minimum distance of 200 to 300 miles between a primary and backup data centre. 

Many firms considered it technically unfeasible. Fibre Channel, the most common network protocol used between data centres, has a distance limit of about 100 miles, or 62km. 

Regulators said firms should also maintain sufficient geographically dispersed resources to meet recovery and resumption objectives. 

But the agencies stated that they were not recommending that firms move their primary offices or data centres outside of metropolitan locations, because they understand that financial firms need to maintain processing sites near the financial markets.

Read more on Business continuity planning