By Charles Dolan, Global Markets Advisory Group 

Nasdaq’s CEO Adena Friedman announced last month that Nasdaq will eventually move its entire computing workload to the public cloud. All of it – its trading systems, its surveillance systems, and everything that supports their business – will be moved.

Given the advances in cloud computing technology, and the ubiquity of the cloud, you might think that Nasdaq’s news isn’t really news.  But why? Aren’t lots of businesses in the cloud these days? Shouldn’t it be easy to move the cloud?  As it turns out, for financial services companies, the answer is “no.”

Part of the problem is regulations that were designed before public cloud was a realistic option for managing data and hosting workloads.  Some prohibit banks and broker-dealers from outsourcing so-called “core” services, or from sharing sensitive customer information with third-party vendors, even though cloud services in most cases offer more advanced processing capabilities and better data protection. Others impose conditions – such as access to data centers and limitations on sharing resources – that are inconsistent with how the cloud outsourcing business actually runs.

Another problem is that regulators don’t always understand how the cloud business model is organized, or how to think about regulatory liability for outsourced functions.  In short, there’s no clear regulatory roadmap for migrating workloads to the cloud.

We ought to know:  my firm, Global Markets Advisory Group, (“GMAG”), has been advising some of the largest Cloud Service Providers, (“CSPs”), in the country for the past few years on matters ranging from drafting outsourcing regulatory language to be used in jurisdictions around the globe to mapping out the various considerations involved in the shared-responsibility model between the CSPs and financial institutions.  We have seen first-hand how difficult progress is given regulatory inertia, inadequate understanding (on all sides) of how regulations and technology connect, and fundamental culture clashes among the regulators, regulated financial services firms, and tech companies.

The regulatory uncertainty is ironic given that one of the first and very public cloud migration examples was by a regulator: in 2014 the Financial Industry Regulatory Authority decided to migrate its data to the public cloud.  FINRA currently ingests nearly 75 billion messages daily and, as CIO Steve Randich observed, “with cloud storage and processing, our staff has access to petabytes of data in seconds or minutes, even during consecutive days of record-breaking activity.”[1]  The other high-profile example also involves a regulator:  in 2017, the SEC approved an implementation of the Consolidated Audit Trail, (“CAT”) that relies on the public cloud.  This is significant given both the volume of data ingested daily when operational and the security concerns around the sensitivity of that data.

Despite these public examples, financial services firms have moved only a fraction of their applications to the cloud. So, what’s causing the holdup?

Picture this. You’ve moved into a new town and after a week of driving down Main Street realize there is no speed limit sign. Trying to be a conscientious citizen, you pull into the local police department and ask them how fast you should be driving to which they respond, “drive at a reasonable speed”.  You assess the traffic, observe the traffic lights and pedestrian crossings, and determine that you can safely drive 30 miles per hour. A week later the police ring your bell to deliver a stack of tickets citing you for speeding because you drove down Main Street at an “unreasonable” speed. Sound familiar?

Financial firms and banks are holding back on finalizing their cloud strategies until they get clear guidance on the regulatory “rules of the road.”  Given their substantial regulatory obligations, financial services firms are concerned that if they introduce new trading or technology platforms – at considerable effort and cost – without clear and authoritative regulatory guidance, they risk running afoul of an unforeseen regulatory requirement.

Regulators, meanwhile, are trying to get their arms around the technological, operational and regulatory issues involved in migrating from a traditional data center to a cloud-based model.   Accelerating cloud adoption therefore depends on clear regulatory guidance on the approach that the regulators will use to review and audit financial services firms’ cloud migrations.  Crucially, the benefit goes both ways: A mutually-agreed set of standards would not only benefit industry participants looking to migrate but also regulators reviewing the cloud implementations for compliance.

Examples of how to do this can be found across the Atlantic: On December 20, 2017, the European Banking Authority, (“EBA”), issued “final guidance” for the use of cloud service providers by financial institutions. The EBA Recommendations “clarify[ied] the EU-wide supervisory expectations if institutions intend to adopt cloud computing, allowing them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed.”[2]This document highlights specific areas where financial firms, specifically banks, should focus their attention when considering cloud migration.

As far back as 2015, the UK Financial Conduct Authority, (“FCA”) proposed guidance for firms outsourcing to the cloud and other third-party IT services.[3]Interestingly, the FCA chose to conduct round table discussions with industry participants in order to design and provide their guidance, in order to “avoid imposing inappropriate barriers to firms’ ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed.”[4]  The document offers a basic roadmap for migration but leaves it to firms to decide how they will ensure comprehensive compliance with all aspects of implementation.

Not a matter of if, just a matter of when

There is little doubt that data intensive industries will increasingly seek out the benefits of cloud technology. Even though moving data is still fairly expensive, the business case and benefits of the cloud (e.g., scalability, security, redundancy, reliability) are too compelling to ignore.  The good news is that US regulators are starting to understand this: In a recent report Treasury Secretary Mnuchin acknowledged that “[c]reating a regulatory environment that supports responsible innovation is crucial for economic growth and success, particularly in the financial sector….We must keep pace with industry changes and encourage financial ingenuity to foster the nation’s vibrant financial services and technology sectors.”[5]

My firm’s interactions with regulators, cloud service providers and the financial services industry in general make plain to us that they all have a common goal of addressing the critical issues surrounding cloud migration, even if they don’t always realize it. The sooner they coalesce their varying viewpoints and concerns, the sooner a baseline migration roadmap can be designed and implemented. It’s no longer a matter of “if” but a matter of “when” the enormous benefits of this technology will be unlocked and realized.  Clear regulatory guidance is critical to that, and can be a powerful enabler if done in tandem with user input.  As the FCA stated way back in 2014,“Innovation can be a driver of effective competition, so we want to support innovation and ensure that regulation unlocks these benefits, rather than blocks them.”[6]

[1]https://financialadvisoriq.com/c/2035593/236363

[2]https://eba.europa.eu/-/eba-issues-guidance-for-the-use-of-cloud-service-providers-by-financial-institutions

[3]this guidance was recently updated and amended in July 2018 to no longer include banks, which now defer to EBA guidance

[4]https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf

[5]https://home.treasury.gov/news/press-releases/sm447

[6]https://www.fca.org.uk/news/speeches/innovation-regulatory-opportunity