FINRA Regulatory Notice 20-08 on pandemic business continuity

FINRA issued Regulatory Notice 20-08 on 9 March 2020, providing guidance on pandemic-related business continuity planning and temporary regulatory relief to help broker-dealers maintain operations during the COVID-19 crisis. The notice addressed remote work arrangements, supervision requirements, and recordkeeping obligations during disruption. This guidance became essential as market volatility spiked and firms transitioned thousands of employees to remote work within days.

Business Continuity Planning Requirements

BCP activation triggers should clearly identify conditions requiring plan setup, including pandemic declarations, significant employee illness rates, and facility inaccessibility. Firms must ensure BCPs address scenarios where traditional office operations are not feasible for extended periods. The notice emphasized that pandemic BCPs differ from disaster recovery plans because disruptions are prolonged and affect all locations simultaneously.

Remote work capabilities require advance planning for technology infrastructure, including VPN capacity, collaboration tools, and remote access to trading and compliance systems. Firms should test remote work arrangements before emergencies to identify connectivity issues and address security vulnerabilities. Trading desks faced particular challenges ensuring market data feeds and order management systems performed adequately over home internet connections.

Communication protocols must establish reliable channels for reaching employees, customers, regulators, and counterparties during disruptions. BCPs should identify backup communication methods and decision-making hierarchies when primary contacts are unavailable. Firms needed to update contact information for essential personnel and establish procedures for rapid communication during market hours.

Supervision During Remote Work

Supervisory system adaptation addresses how firms will maintain appropriate supervision when registered representatives work from home or other remote locations. Supervisors must have visibility into communications, trading activity, and customer interactions regardless of employee location. The challenge intensified as supervisors themselves worked remotely without the ability to observe trading floors directly.

Electronic communication monitoring becomes more critical when employees cannot be observed directly. Firms should ensure surveillance systems capture all business communications, including those using personal devices or alternative platforms authorized for remote work. The spread of video conferencing and messaging platforms created new surveillance gaps that firms needed to address.

Branch inspection modifications may be necessary when physical inspections are not feasible. FINRA showed it would work with firms on alternative inspection approaches during periods when travel restrictions prevent traditional on-site reviews. Virtual inspections using video conferencing and screen sharing emerged as interim solutions.

Recordkeeping Considerations

Books and records access must be maintained even when employees work remotely. Firms should ensure that required records can be accessed, reproduced, and provided to regulators from remote locations, with appropriate security controls protecting sensitive information. Cloud-based systems offered advantages for remote access compared to on-premises infrastructure.

Communication capture requirements extend to all business-related communications regardless of medium or employee location. Firms should clarify approved communication channels for remote work and ensure surveillance systems can capture communications through those channels. Unauthorized use of personal devices or non-approved platforms created compliance exposure.

Audit trail maintenance for trading and order handling must continue during remote operations. Firms should verify that order management systems accurately timestamp and record activities regardless of where employees access those systems.

Regulatory Relief Provisions

Temporary accommodations addressed specific rule requirements that might be difficult to meet during pandemic conditions. FINRA showed flexibility in areas including notarization requirements, in-person meetings, and certain timing deadlines. This relief recognized practical constraints while maintaining investor protection objectives.

Relief request process enabled firms facing compliance challenges to request temporary exemptions or modifications. Firms should document circumstances requiring relief and show good faith efforts to comply with underlying regulatory objectives. Written requests with specific justification improved prospects for favorable responses.

Ongoing communication with FINRA and other regulators was encouraged for firms experiencing compliance difficulties. Early engagement helped regulators understand industry challenges and provide appropriate guidance.

Technology and Security

Cybersecurity heightened risks accompany remote work arrangements as employees access firm systems from less controlled environments. BCPs should address security requirements for remote access, including encryption, multi-factor authentication, and endpoint protection. Threat actors were expected to target the transition period with phishing and social engineering attacks.

System capacity planning must account for dramatic increases in remote access during disruptions. Firms should stress-test VPN concentrators, trading platforms, and communication systems to ensure they can handle full-firm remote operations. The combination of remote access surge and market volatility created unprecedented system demands.

Customer communication security requires verification procedures when conducting business remotely, as traditional in-person identity confirmation may not be available. Firms should implement improved verification for high-risk transactions conducted during remote operations and document the verification methods used.

Regulatory Flexibility in Crisis

FINRA's pandemic guidance showed that regulators can adapt when circumstances demand it. The core requirements did not disappear, but the way firms could meet them became more flexible.

For compliance teams, this was both relief and challenge. You had more options, but you also had to document why your alternative approaches were reasonable. Flexibility requires judgment—and documentation of that judgment.

Building Adaptive Compliance Programs

The firms that navigated pandemic compliance best were those with mature risk management frameworks. They could quickly assess which requirements mattered most, identify reasonable alternatives, and document their decisions clearly.

Build that capability now, before the next crisis. Your compliance program should be flexible enough to handle unexpected circumstances while maintaining the spirit of regulatory requirements.

Technology for Distributed Operations

The pandemic accelerated adoption of technologies that enable distributed work while maintaining compliance. Remote supervision tools, electronic recordkeeping, and digital communications archiving became essential overnight.

If your firm has not modernized these capabilities, consider this a warning. The next disruption might not give you time to figure it out on the fly. Invest in compliance technology before you desperately need it.

Supervision in a Remote World

Supervising registered representatives working from home creates unique challenges. How do you ensure conversations are recorded? How do you prevent unauthorized trading? How do you maintain the culture of compliance when your team is scattered?

The firms that succeed build trust without sacrificing oversight. Clear policies, reliable technology, and regular communication help maintain compliance culture even when the office is everyone's spare bedroom.

Documentation Best Practices

When you deviate from normal procedures, document everything. Why did you make the decision? What alternatives did you consider? What risks did you accept? Regulators understand that crisis requires adaptation—but they expect you to show your work.

Create templates for crisis decision documentation now. When things move fast, having a structure for capturing decisions helps ensure nothing falls through the cracks.

Learning from Crisis

Every crisis teaches lessons. The firms that come out stronger are those that conduct honest post-mortems: what worked, what did not, and what needs to change. Compliance programs should evolve based on real-world experience, not just regulatory updates.

Schedule those reviews while memories are fresh. Document what you learned. Apply those lessons to your ongoing compliance program.

Industry Collaboration

Crises reveal the importance of industry relationships. Firms that participate in information sharing organizations, regulatory working groups, and industry associations had better access to guidance and best practices during the pandemic.

Build those relationships in calm times so they are there when you need them.

You may also find useful

Hand-picked articles on adjacent topics.

Compliance · Credibility 73/100 · March 15, 2020

HHS issues limited HIPAA waiver during COVID-19 emergency

HHS waived certain HIPAA penalties for good-faith telehealth during COVID-19. Healthcare providers can use FaceTime, Skype, and similar platforms without the usual business associate agreement requirements.

Compliance · Credibility 86/100 · March 16, 2020

FinCEN outlines BSA expectations during COVID-19 disruptions

FinCEN issued a COVID-19 statement on 16 March 2020 clarifying that Bank Secrecy Act obligations remain in effect, encouraging institutions to maintain AML programs, notify regulators of any delays, and report…

Compliance · Credibility 73/100 · March 17, 2020

HHS OCR eases HIPAA enforcement for telehealth

OCR announced it will not penalize healthcare providers for using non-HIPAA-compliant telehealth platforms during COVID-19. This is a temporary enforcement discretion, not a rule change—but it is letting doctors use Zoom…

Compliance · Credibility 91/100 · March 18, 2020

PCI SSC permits remote assessments during COVID-19 disruptions

PCI SSC released guidance for remote assessments in March 2020—a pandemic necessity. QSAs could do evidence collection remotely with proper controls. This changed how compliance audits work.

Compliance · Credibility 73/100 · March 19, 2020

EDPB outlines GDPR rules for COVID-19 data processing

The European Data Protection Board issued a statement confirming GDPR permits processing health and location data for pandemic response under specific legal bases, while stressing necessity, proportionality, and…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

March 9, 2020

Coverage pillar

Compliance

Source credibility

91/100 — high confidence

Topics

FINRA · COVID-19 · BCP

Sources cited

3 sources (finra.org, sec.gov)

Reading time

6 min

Documentation

1. FINRA Notice 20-08 — FINRA
2. FINRA Business Continuity — FINRA
3. SEC Rule 17a-4 — SEC