FINRA's Office of Financial Innovation ("staff") issued a report and requested comment on the regulatory implications of cloud computing, a technology increasingly adopted by broker-dealers for the purposes of scaling operations, business continuity and launching products. In the report, staff reviewed the experiences of 40 market participants (broker-dealers, cloud service providers, industry analysts and technology consultants), and focused on the following:
- Software as a Service ("SaaS") products. Firms tended to migrate to the cloud using off-the-shelf SaaS products, concluding that purchasing instead of building applications was more "expeditious."
- Targeted, incremental and iterative rollouts. Firms tended to launch their migration to the cloud in discrete steps, and many firms started with a pilot project to test the use case before a larger launch. FINRA noted that some firms chose to begin data migration by sending less sensitive data into the cloud.
- Governance and cloud security protocols. Firms emphasized the importance of expending "significant resources" in the development of governance and cloud security policies.
- Organizational changes. In an effort to speed time-to-market, firms used the migration as an opportunity to better integrate software development and operations.
In the report, FINRA highlighted the regulatory implications of cloud computing, including in the following areas: (i) cybersecurity management; (ii) data privacy for the protection of customer records and information, as set out under SEC Regulation S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information") and NASD Notice 05-49; (iii) outsourcing to and relationship management of a service cloud provider, which FINRA reminded firms does not relieve them of compliance obligations; (iv) business continuity pursuant to FINRA Rule 4370 ("Business Continuity Plans and Emergency Contact Information"), given that the cloud offers greater storage and computing capacity; and (v) recordkeeping of cloud products or services, as set out under SEA Rule 17a-4 ("Records to be preserved by certain exchange members, brokers and dealers").
Comments on the report, including on guidance or modifications to FINRA rules so as to support cloud adoption, must be received by October 16, 2021.
Commentary by Steven Lofchie
Firms should also be mindful of FINRA's recent notice emphasizing that firms retain regulatory responsibility for outsourced tasks, and that such tasks must be supervised as if they were conducted in house.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.