Feature Business Continuity
Communications Failure BCP: When Your Telecom, Email, and Collaboration Platforms Go Down Simultaneously
AT&T's February 2024 outage lasted 11 hours and disrupted bank branches, fraud callbacks, and employee communications across the US. CrowdStrike's July 2024 update crashed the same Windows infrastructure that Microsoft Teams runs on. Most financial institution BCPs still treat communications as background infrastructure. Here's what your plan is missing.
Table of Contents
Your business continuity plan covers power failures, data center outages, and ransomware scenarios. Most BCPs do not answer this question: if your incident response is coordinated on Microsoft Teams — and Teams is offline — who calls who?
In February 2024, AT&T’s network went down for approximately 11 hours across the United States. The FCC’s post-incident report confirmed the outage affected tens of thousands of customers including first responders and financial institutions, with an estimated $500 million economic impact. Customer calls couldn’t reach bank branches. Employees couldn’t reach each other by mobile on AT&T. Out-of-band callback verification — a core fraud prevention control for wire and ACH transactions — failed at institutions whose callback systems ran through AT&T’s network.
Four months later, on July 19, 2024, a faulty CrowdStrike Falcon Sensor update crashed approximately 8.5 million Windows computers globally. Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, Capital One, and Charles Schwab all reported operational disruptions. ATMs went offline. Call centers went down. Mobile banking apps became unavailable. And the Microsoft Teams instances that employees would have used to coordinate their incident response were running on the same Windows infrastructure that CrowdStrike had just crashed. Two failure modes that BCPs typically treat as separate turned out to be caused by the same event.
In January 2025, Capital One customers experienced a multi-day outage when FIS Global — their core banking services provider — suffered a power failure. Customer-facing communications, branches, call centers, and the mobile app all depended on infrastructure that had just failed.
These aren’t edge cases. They’re a pattern. And most financial institution BCP communications annexes are not written for them.
TL;DR
- Three major outages in 18 months disrupted financial institution communications: AT&T (11 hours, $500M economic impact), CrowdStrike (8.5M devices, multiple major banks), Capital One/FIS (multi-day customer outage)
- FFIEC requires diversified telecom, redundant connections, and backup communications — including alternatives when voice and data are both unavailable
- The core gap: cloud-native communications (Teams, Slack, Zoom) run on the same infrastructure as banking systems — one failure event can take out both
- A communications BCP that relies on the platform that went offline is a circular dependency, not a backup
- FFIEC examiners test whether backup communications have been exercised, not just documented
What FFIEC Actually Requires
The FFIEC Business Continuity Management booklet dedicates Section IV.B specifically to communications strategies. The requirements are more detailed than most institutions realize.
Management must, at minimum:
- Diversify telecommunication lines — provisioning voice service from two different carrier locations, not just two different lines from the same local loop
- Establish redundant internet connectivity through a secondary ISP on an independent network path, with traffic balanced between providers under normal conditions
- Verify recovery site communications independently — not just that the DR site has a circuit, but that its communications can handle full operational load for all clients if the primary site goes dark
- Implement multiple mechanisms — when traditional voice and data are impaired, the institution must be able to reach employees, customers, vendors, and regulators through alternate paths
The operative phrase in the FFIEC guidance: “when traditional voice communications and telecommunications are impaired or inoperable.” The standard isn’t what you’d do if email is slow. It’s what you’d do if both primary voice and primary data communications fail simultaneously — the AT&T + CrowdStrike scenario.
Most BCPs answer a softer version of this question. Examiners increasingly test the harder one.
The Cloud Dependency Problem
The communications landscape at financial institutions has shifted fundamentally over the last five years. Primary internal communications are no longer on-premises PBX and corporate email servers. They’re Microsoft Teams, Slack, Zoom, and hosted VOIP — all running on hyperscaler cloud infrastructure.
This creates a specific resilience problem: your communications tools now share infrastructure with your banking systems.
When CrowdStrike’s update crashed Windows machines in July 2024, it didn’t just take down bank operations — it took down the Teams instances that employees needed to coordinate their response. The same event that created the incident took out the primary communications channel for managing it. Institutions that had independently tested backup communications were able to route around this. Institutions that hadn’t discovered the gap in real time, during an actual incident.
The cloud concentration risk guidance from OCC and FDIC addresses this problem at the infrastructure level. The communications dimension deserves specific attention: if your BCP relies on Teams or Slack to coordinate during an outage, and that outage affects your Azure or AWS tenant, you don’t have a backup communications plan — you have a circular dependency.
The Six Components of a Communications Failure BCP
A defensible communications BCP addresses six areas, each with its own backup mechanism that doesn’t depend on the systems most likely to fail.
1. Voice Communications Backup
Primary failure mode: Your VOIP system, hosted PBX, or cloud-based phone platform goes down.
Required backup:
- A secondary voice capability on a different carrier and technology layer — cellular on a carrier separate from any corporate VOIP provider, physical landlines at select critical locations, or satellite phones for the most senior response roles
- Documented callback numbers that are independent of the VOIP system — pre-loaded into BCP documentation in physical form, not just in a directory that requires the phone system to access
- Specific coverage for the fraud callback verification function — if your VOIP is down and the callback line is the same number, your fraud prevention control has a gap. This needs to be tested explicitly
2. Data and Email Backup
Primary failure mode: Corporate email, corporate internet access, or both are unavailable.
Required backup:
- Pre-registered personal email addresses for key personnel stored in your emergency contact system and tested quarterly
- SMS/text messaging through personal mobile devices (FFIEC explicitly permits this as an alternative when corporate systems are unavailable)
- A secondary webmail or messaging capability on a different cloud provider — a Gmail group, a Proton account, or a messaging platform not on Microsoft’s infrastructure for the incident response team, with pre-populated contacts stored offline
3. Collaboration Tool Independence
Primary failure mode: Microsoft Teams, Slack, or Zoom are unavailable because they share cloud infrastructure with the failed system.
Required backup: A communications channel genuinely independent of Microsoft Azure, AWS, or whatever cloud your primary tools run on. This means:
- Pre-configured personal Signal or encrypted messaging group for the incident response team, using personal (not corporate) devices
- A Zoom account hosted on a different cloud provider than your primary environment
- Satellite communication for senior leadership and the board for extended outages
The test for whether your backup is genuine: if AWS us-east-1 went down completely, could your incident response team convene and make decisions? If the answer requires Teams or any other Microsoft product, you have a dependency, not a backup.
4. Customer Notification Capability
Primary failure mode: Your outbound notification system (email alerts, push notifications, IVR messages) is unavailable because it runs on affected infrastructure.
Required backup:
- A vendor relationship — or a secondary notification vendor — that can send outbound messaging from an independent system when your primary notifications are down
- Pre-drafted customer notification messages stored offline and in physical form, ready to deploy through the backup channel
- A website status page hosted on a CDN or third-party platform with independent credentials, updated without access to your primary systems
Capital One’s January 2025 FIS outage illustrates this directly: when your core banking provider fails, the notification systems that route through that provider may fail simultaneously. Your customer communication BCP needs to work independently of your core banking vendor.
5. Board and Regulatory Notification Capability
Primary failure mode: Your normal executive escalation and board notification pathway depends on Teams, corporate email, or the internal communications systems that are offline.
Required backup:
- Personal mobile numbers for all board members, verified annually and stored in a physical format accessible without systems access
- Personal email addresses (not corporate) for board members, with the emergency communication protocol documented and board members briefed
- Direct contact information for your primary federal regulator’s emergency notification line — the specific number and the name of the person designated for your institution — stored offline
The FFIEC 36-hour notification rule still applies during a communications outage. If you can’t reach your primary regulator through normal channels, you need to know the emergency contact. Regulators understand that outages happen; what they don’t accept is a notification that comes at hour 48 because the institution couldn’t find the right phone number.
6. Vendor and Counterparty Contact
Primary failure mode: Your primary method of communicating with critical vendors, correspondent banks, and payment system participants is unavailable.
Required backup:
- Emergency contact lists for all critical third parties including primary and backup contacts with personal mobile numbers
- Separate emergency hotline numbers distinct from normal support channels, confirmed to be operational and updated quarterly
- Pre-established alternate communication methods for time-sensitive operations — your wire room and payment operations teams need to be able to reach their counterparts at correspondent banks even if both primary systems are down
For fintechs with sponsor bank relationships, this becomes a BCP dependency scenario in its own right. The partner bank’s communications failure is your operational problem.
What Examiners Will Test
The FFIEC BCM exam approach to communications is not to read your backup communications policy. Examiners ask whether you’ve activated it.
Specifically, the exam looks for:
| Examiner Question | What They’re Looking For |
|---|---|
| ”When did you last test your backup communications?” | Test date, participants, and documented results — not just a policy reference |
| ”What happened when you activated backup communications in a tabletop?” | Specific gaps identified, remediation completed |
| ”What are your alternative communications when Teams is unavailable?” | A genuine answer — not “we’d use Slack instead" |
| "Who calls your board during an outage?” | Names, personal numbers, and whether those numbers are current |
| ”How does your recovery site communicate when primary is down?” | Evidence of tested independent circuit, not just the existence of one |
The most common finding: backup communications systems exist in policy but have never been activated. Phone trees with disconnected numbers. Satellite phone subscriptions that expired. Secondary ISP circuits provisioned in the contract but never tested under load.
For ongoing monitoring between exam cycles, business continuity KRIs should include: percentage of emergency contacts verified in the last quarter, number of backup communications methods tested in the last 12 months, and open gaps from the last communications failure tabletop exercise.
The Scenario Your Team Should Run This Quarter
Most BCP tabletops assume partial functionality — the team can still email each other, they just can’t access the data center. That assumption is not the CrowdStrike scenario. It’s not the AT&T scenario.
The scenario your incident response team actually needs to practice:
It’s 7:00 a.m. on a Tuesday. Your hosted VOIP system is offline. Corporate email is unavailable. Microsoft Teams is not loading. Your CEO is receiving a personal cell call from a board member who saw something on Bloomberg. How does your incident response team convene? Who calls who, in what order, using what verified number? When your primary federal regulator calls your main switchboard and it’s down, what number do they use? How do you notify customers that services are disrupted when your notification platform is also offline?
This exercise surfaces the gaps that routine tabletops never reach. It also generates the documented test results that examiners want to see — not a theoretical plan, but a record of what worked, what didn’t, and what was remediated.
So What?
The Business Continuity & Disaster Recovery Kit includes BCP templates, tabletop exercise frameworks, and the communications annex structure FFIEC examiners expect — including the tested backup mechanisms, emergency contact verification process, and scenario documentation that turns a paper BCP into an operational one.
The organizations that navigated AT&T, CrowdStrike, and the Capital One/FIS outages without major regulatory consequences shared a common characteristic: they had practiced the scenarios their BCPs are supposed to cover. Not in theory — in a conference room with personal phones and a scenario that explicitly took their normal communications offline. They knew who called who, in what order, using what number, when everything else was unavailable.
That exercise takes two hours. The alternative is discovering the gap during an actual incident, while an examiner is watching the clock on your 36-hour notification window.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Does FFIEC require financial institutions to have a communications-specific BCP?
What's the most common gap in financial institution communications BCPs?
What backup communications do FFIEC examiners expect?
How does cloud communications dependency affect FFIEC BCM compliance?
Should Microsoft Teams and Slack be tested in BCP tabletop exercises?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
◆ Keep reading
Related posts.
Business Continuity
Power and Telecommunications Resilience: What the 2026 FFIEC BCM Booklet Requires You to Document and Test
The 2026 FFIEC BCM Booklet elevated power and telecommunications resilience from a supporting concern to a standalone examination focus. Here's what examiners now look for in generator testing, telecom redundancy documentation, and alternate site utility independence.
Jul 4, 2026
Business Continuity
Your BCP Activation Just Became a Regulatory Notification Trigger: What FCA/PRA PS26/2 Requires by March 2027
The FCA and PRA published PS26/2 in March 2026, establishing a new operational incident reporting regime that hardwires regulatory notification into BCP activation. Financial institutions with UK operations have until March 18, 2027 to comply. Here's what needs to change in your BCP.
Jul 1, 2026
Business Continuity
BCP Update Triggers: When FFIEC Requires You to Revise Your Business Continuity Plan Between Annual Reviews
Annual BCP review isn't enough. The FFIEC BCM Handbook and ISO 22301 both identify specific events that require mid-cycle plan updates. Here's the six-trigger framework that keeps your program defensible year-round.
Jun 25, 2026