September 24, 2010 – You can put compliance into your computing cloud. But the cloud can't do the compliance for you.

That is the summation of Richard. T. Sharp, a partner at Milbank, Tweed, Hadley & McCloy LLP, New York, NY, who got the tough job of being the last speaker at Monday's High Performance Computing conference at the Roosevelt Hotel in New York. And took full advantage of his opportunity to toss cold water on the audience that remained to hear him out.

Sharp was trying to make sure that technologists don't go off into the clouds of computing, without thinking first about the regulatory and legal implications of putting tasks onto servers they don't keep in-house and don't directly control.

Whether it's a broker-dealer, a commodities dealer, an investment bank doing proprietary trading or whatever securities industry player that might be looking to control costs and increase flexibility of operations by using the expansive, on-demand capabilities of cloud computing, he had a simple message.

Stop. Before you get started. And figure out what regulations are going to apply to your project.

Otherwise, you're going to get down the road, get the cloud connection up and running, move your functions off-premise – and hit a legal or regulatory roadblock that you could easily have anticipated, in advance.

Let's say you've moved dividend processing into the cloud. And something happens. Shareholders don't get their checks. Who's gonna get the call? Your service provider? Not hardly.

Corporate notices not getting to clients? Who's gonna get the call? You.

Valuations out of whack? Account details missing? You get the idea.

"The biggest mistake you can make is to leave compliance to an afterthrought,'' he said. "You need to make it at the very top of your list.''

The Securities and Exchange Commission and the Financial Industry Regulatory Authority don't even talk in terms of cloud computing. To them, it's "outsourcing," Sharp contends. And core functions, like trading, which reguire registration and qualification can't be outsourced, he said.

But even for clerical and administrative stuff that don't require registration, you have to learn to speak the language of the SEC or FINRA, before you go off into the clouds.

And, in the end, you have to realize that, even with whatever goes into the cloud, you -- as a regulated entity – have to supervise whatever function gets sent off. If the service provider fails, doesn't matter. The enforcement division will be asking you to defend what you did.

So make sure you have solid service level agreements with service providers, clear governance processes, access to books and records, surveillance and exception reports and audit and inspections rights.

No matter what goes into the cloud, you remain responsible for compliance.

Otherwise, Sharp said, "when the cloud bursts, the system will fail, and you, the user, will end up in jail.''

This originally appeared on Securities Technology Monitor.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access