Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Business Continuity

Communications Failure BCP: When Your Telecom, Email, and Collaboration Platforms Go Down Simultaneously

AT&T's February 2024 outage lasted 11 hours and disrupted bank branches, fraud callbacks, and employee communications across the US. CrowdStrike's July 2024 update crashed the same Windows infrastructure that Microsoft Teams runs on. Most financial institution BCPs still treat communications as background infrastructure. Here's what your plan is missing.

By Rebecca Leung · June 11, 2026 ·
Table of Contents

Your business continuity plan covers power failures, data center outages, and ransomware scenarios. Most BCPs do not answer this question: if your incident response is coordinated on Microsoft Teams — and Teams is offline — who calls who?

In February 2024, AT&T’s network went down for approximately 11 hours across the United States. The FCC’s post-incident report confirmed the outage affected tens of thousands of customers including first responders and financial institutions, with an estimated $500 million economic impact. Customer calls couldn’t reach bank branches. Employees couldn’t reach each other by mobile on AT&T. Out-of-band callback verification — a core fraud prevention control for wire and ACH transactions — failed at institutions whose callback systems ran through AT&T’s network.

Four months later, on July 19, 2024, a faulty CrowdStrike Falcon Sensor update crashed approximately 8.5 million Windows computers globally. Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, Capital One, and Charles Schwab all reported operational disruptions. ATMs went offline. Call centers went down. Mobile banking apps became unavailable. And the Microsoft Teams instances that employees would have used to coordinate their incident response were running on the same Windows infrastructure that CrowdStrike had just crashed. Two failure modes that BCPs typically treat as separate turned out to be caused by the same event.

In January 2025, Capital One customers experienced a multi-day outage when FIS Global — their core banking services provider — suffered a power failure. Customer-facing communications, branches, call centers, and the mobile app all depended on infrastructure that had just failed.

These aren’t edge cases. They’re a pattern. And most financial institution BCP communications annexes are not written for them.

TL;DR

  • Three major outages in 18 months disrupted financial institution communications: AT&T (11 hours, $500M economic impact), CrowdStrike (8.5M devices, multiple major banks), Capital One/FIS (multi-day customer outage)
  • FFIEC requires diversified telecom, redundant connections, and backup communications — including alternatives when voice and data are both unavailable
  • The core gap: cloud-native communications (Teams, Slack, Zoom) run on the same infrastructure as banking systems — one failure event can take out both
  • A communications BCP that relies on the platform that went offline is a circular dependency, not a backup
  • FFIEC examiners test whether backup communications have been exercised, not just documented

What FFIEC Actually Requires

The FFIEC Business Continuity Management booklet dedicates Section IV.B specifically to communications strategies. The requirements are more detailed than most institutions realize.

Management must, at minimum:

  • Diversify telecommunication lines — provisioning voice service from two different carrier locations, not just two different lines from the same local loop
  • Establish redundant internet connectivity through a secondary ISP on an independent network path, with traffic balanced between providers under normal conditions
  • Verify recovery site communications independently — not just that the DR site has a circuit, but that its communications can handle full operational load for all clients if the primary site goes dark
  • Implement multiple mechanisms — when traditional voice and data are impaired, the institution must be able to reach employees, customers, vendors, and regulators through alternate paths

The operative phrase in the FFIEC guidance: “when traditional voice communications and telecommunications are impaired or inoperable.” The standard isn’t what you’d do if email is slow. It’s what you’d do if both primary voice and primary data communications fail simultaneously — the AT&T + CrowdStrike scenario.

Most BCPs answer a softer version of this question. Examiners increasingly test the harder one.

The Cloud Dependency Problem

The communications landscape at financial institutions has shifted fundamentally over the last five years. Primary internal communications are no longer on-premises PBX and corporate email servers. They’re Microsoft Teams, Slack, Zoom, and hosted VOIP — all running on hyperscaler cloud infrastructure.

This creates a specific resilience problem: your communications tools now share infrastructure with your banking systems.

When CrowdStrike’s update crashed Windows machines in July 2024, it didn’t just take down bank operations — it took down the Teams instances that employees needed to coordinate their response. The same event that created the incident took out the primary communications channel for managing it. Institutions that had independently tested backup communications were able to route around this. Institutions that hadn’t discovered the gap in real time, during an actual incident.

The cloud concentration risk guidance from OCC and FDIC addresses this problem at the infrastructure level. The communications dimension deserves specific attention: if your BCP relies on Teams or Slack to coordinate during an outage, and that outage affects your Azure or AWS tenant, you don’t have a backup communications plan — you have a circular dependency.

The Six Components of a Communications Failure BCP

A defensible communications BCP addresses six areas, each with its own backup mechanism that doesn’t depend on the systems most likely to fail.

1. Voice Communications Backup

Primary failure mode: Your VOIP system, hosted PBX, or cloud-based phone platform goes down.

Required backup:

  • A secondary voice capability on a different carrier and technology layer — cellular on a carrier separate from any corporate VOIP provider, physical landlines at select critical locations, or satellite phones for the most senior response roles
  • Documented callback numbers that are independent of the VOIP system — pre-loaded into BCP documentation in physical form, not just in a directory that requires the phone system to access
  • Specific coverage for the fraud callback verification function — if your VOIP is down and the callback line is the same number, your fraud prevention control has a gap. This needs to be tested explicitly

2. Data and Email Backup

Primary failure mode: Corporate email, corporate internet access, or both are unavailable.

Required backup:

  • Pre-registered personal email addresses for key personnel stored in your emergency contact system and tested quarterly
  • SMS/text messaging through personal mobile devices (FFIEC explicitly permits this as an alternative when corporate systems are unavailable)
  • A secondary webmail or messaging capability on a different cloud provider — a Gmail group, a Proton account, or a messaging platform not on Microsoft’s infrastructure for the incident response team, with pre-populated contacts stored offline

3. Collaboration Tool Independence

Primary failure mode: Microsoft Teams, Slack, or Zoom are unavailable because they share cloud infrastructure with the failed system.

Required backup: A communications channel genuinely independent of Microsoft Azure, AWS, or whatever cloud your primary tools run on. This means:

  • Pre-configured personal Signal or encrypted messaging group for the incident response team, using personal (not corporate) devices
  • A Zoom account hosted on a different cloud provider than your primary environment
  • Satellite communication for senior leadership and the board for extended outages

The test for whether your backup is genuine: if AWS us-east-1 went down completely, could your incident response team convene and make decisions? If the answer requires Teams or any other Microsoft product, you have a dependency, not a backup.

4. Customer Notification Capability

Primary failure mode: Your outbound notification system (email alerts, push notifications, IVR messages) is unavailable because it runs on affected infrastructure.

Required backup:

  • A vendor relationship — or a secondary notification vendor — that can send outbound messaging from an independent system when your primary notifications are down
  • Pre-drafted customer notification messages stored offline and in physical form, ready to deploy through the backup channel
  • A website status page hosted on a CDN or third-party platform with independent credentials, updated without access to your primary systems

Capital One’s January 2025 FIS outage illustrates this directly: when your core banking provider fails, the notification systems that route through that provider may fail simultaneously. Your customer communication BCP needs to work independently of your core banking vendor.

5. Board and Regulatory Notification Capability

Primary failure mode: Your normal executive escalation and board notification pathway depends on Teams, corporate email, or the internal communications systems that are offline.

Required backup:

  • Personal mobile numbers for all board members, verified annually and stored in a physical format accessible without systems access
  • Personal email addresses (not corporate) for board members, with the emergency communication protocol documented and board members briefed
  • Direct contact information for your primary federal regulator’s emergency notification line — the specific number and the name of the person designated for your institution — stored offline

The FFIEC 36-hour notification rule still applies during a communications outage. If you can’t reach your primary regulator through normal channels, you need to know the emergency contact. Regulators understand that outages happen; what they don’t accept is a notification that comes at hour 48 because the institution couldn’t find the right phone number.

6. Vendor and Counterparty Contact

Primary failure mode: Your primary method of communicating with critical vendors, correspondent banks, and payment system participants is unavailable.

Required backup:

  • Emergency contact lists for all critical third parties including primary and backup contacts with personal mobile numbers
  • Separate emergency hotline numbers distinct from normal support channels, confirmed to be operational and updated quarterly
  • Pre-established alternate communication methods for time-sensitive operations — your wire room and payment operations teams need to be able to reach their counterparts at correspondent banks even if both primary systems are down

For fintechs with sponsor bank relationships, this becomes a BCP dependency scenario in its own right. The partner bank’s communications failure is your operational problem.

What Examiners Will Test

The FFIEC BCM exam approach to communications is not to read your backup communications policy. Examiners ask whether you’ve activated it.

Specifically, the exam looks for:

Examiner QuestionWhat They’re Looking For
”When did you last test your backup communications?”Test date, participants, and documented results — not just a policy reference
”What happened when you activated backup communications in a tabletop?”Specific gaps identified, remediation completed
”What are your alternative communications when Teams is unavailable?”A genuine answer — not “we’d use Slack instead"
"Who calls your board during an outage?”Names, personal numbers, and whether those numbers are current
”How does your recovery site communicate when primary is down?”Evidence of tested independent circuit, not just the existence of one

The most common finding: backup communications systems exist in policy but have never been activated. Phone trees with disconnected numbers. Satellite phone subscriptions that expired. Secondary ISP circuits provisioned in the contract but never tested under load.

For ongoing monitoring between exam cycles, business continuity KRIs should include: percentage of emergency contacts verified in the last quarter, number of backup communications methods tested in the last 12 months, and open gaps from the last communications failure tabletop exercise.

The Scenario Your Team Should Run This Quarter

Most BCP tabletops assume partial functionality — the team can still email each other, they just can’t access the data center. That assumption is not the CrowdStrike scenario. It’s not the AT&T scenario.

The scenario your incident response team actually needs to practice:

It’s 7:00 a.m. on a Tuesday. Your hosted VOIP system is offline. Corporate email is unavailable. Microsoft Teams is not loading. Your CEO is receiving a personal cell call from a board member who saw something on Bloomberg. How does your incident response team convene? Who calls who, in what order, using what verified number? When your primary federal regulator calls your main switchboard and it’s down, what number do they use? How do you notify customers that services are disrupted when your notification platform is also offline?

This exercise surfaces the gaps that routine tabletops never reach. It also generates the documented test results that examiners want to see — not a theoretical plan, but a record of what worked, what didn’t, and what was remediated.

So What?

The Business Continuity & Disaster Recovery Kit includes BCP templates, tabletop exercise frameworks, and the communications annex structure FFIEC examiners expect — including the tested backup mechanisms, emergency contact verification process, and scenario documentation that turns a paper BCP into an operational one.

The organizations that navigated AT&T, CrowdStrike, and the Capital One/FIS outages without major regulatory consequences shared a common characteristic: they had practiced the scenarios their BCPs are supposed to cover. Not in theory — in a conference room with personal phones and a scenario that explicitly took their normal communications offline. They knew who called who, in what order, using what number, when everything else was unavailable.

That exercise takes two hours. The alternative is discovering the gap during an actual incident, while an examiner is watching the clock on your 36-hour notification window.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Does FFIEC require financial institutions to have a communications-specific BCP?
Yes. The FFIEC Business Continuity Management booklet explicitly requires financial institutions to maintain backup communications strategies. Section IV.B of the BCM IT handbook specifies that management should 'consider, plan for, and prepare multiple mechanisms to communicate with others' and that institutions should diversify telecommunication lines, establish redundant connections, and identify multiple power sources. The exam question isn't whether you have a communications BCP — it's whether you've tested it.
What's the most common gap in financial institution communications BCPs?
Cloud-native dependency without a fallback. Most institutions have moved their primary communications to Microsoft Teams, Slack, or similar platforms — which run on the same cloud infrastructure as their core systems. The CrowdStrike July 2024 outage crashed both banking operations and the Teams instances employees would normally use to coordinate their response. A communications BCP that relies on the platform that's offline during the outage is not a BCP.
What backup communications do FFIEC examiners expect?
At minimum: (1) A secondary voice communications option on a different carrier or technology layer; (2) A way to reach employees that doesn't depend on corporate email or Teams/Slack; (3) A customer notification mechanism that functions during an outage; (4) A tested vendor and counterparty emergency contact list with verified mobile numbers. The specific technology matters less than demonstrating you've tested it under realistic failure conditions.
How does cloud communications dependency affect FFIEC BCM compliance?
It creates a third-party technology dependency that must be assessed in your BIA and covered in your BCP strategies. FFIEC expects institutions to verify that their recovery site has independent communications capability — not just a circuit that routes through the same cloud infrastructure as the primary site. If your DR site relies on the same Microsoft Azure tenant as primary operations, a regional Azure outage takes out both.
Should Microsoft Teams and Slack be tested in BCP tabletop exercises?
Yes — and the most revealing test is a 'total communications failure' scenario that explicitly takes Teams and Slack offline. Most tabletops assume 'you can communicate — now what?' The more important scenario is: your primary phone system, corporate email, Teams, and Slack are all down simultaneously. How does your incident response team convene? How do you notify the board? How do you communicate with customers? Testing that scenario surfaces gaps that a routine tabletop never finds.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Business Continuity & Disaster Recovery (BCP/DR) Kit

BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.