You can put compliance into your computing cloud. But the cloud can't do the compliance for you.
That is the summation of Richard T. Sharp, a partner at
Sharp was trying to make sure that technologists don't go off into the clouds of computing, without thinking first about the regulatory and legal implications of putting specific tasks onto servers they don't keep in-house and don't directly control.
Whether it's a mutual fund company, broker-dealer or an investment bank looking to control costs and increase flexibility through cloud computing, he had a simple message: Stop and think.
Before you get started. Whether it's cost-basis reporting, XBRL, proxy solicitations, 12b-1 fees or revenue-sharing-figure out what specific regulations are going to apply to your project.
Otherwise, you're going to get down the road, get the cloud connection up and running, move your functions off-premise-and inevitably hit a legal or regulatory roadblock that you could easily have anticipated, in advance.
Let's say you've moved dividend processing into the cloud. And something happens. Shareholders don't get their checks. Who's gonna get the call? Your service provider? Not hardly.
Corporate notices not getting to clients? Who's gonna get the call? You.
Valuations out of whack? Account details missing? You get the idea.
The
But in the end, if the service provider fails, it doesn't matter. The enforcement division will be asking you to defend what you did.
So make sure you have solid service-level agreements with service providers, clear governance processes, access to books and records, surveillance and exception reports and audit and inspections rights.
No matter what goes into the cloud, you remain responsible for compliance.
Otherwise, Sharp said, "when the cloud bursts, the system will fail, and you, the user, will end up in jail."
