October 22, 2021
Jennifer Piorko Mitchell
Office of the Corporate Secretary
1735 K Street, NW
Washington, DC 20006-1506
Re: Response to Request for Comments on FINRA Report, “Cloud Computing in the Securities Industry”
Dear Ms. Mitchell:
The Securities Industry and Financial Markets Association (“SIFMA”)1 welcomes the opportunity to present its views to the Financial Industry Regulatory Authority Inc. (“FINRA”) in response to FINRA’s request for public comment on its recent report discussing the adoption and deployment of cloud computing services and products within the securities industry (the “Cloud White Paper”).2
SIFMA member firms have conscientiously addressed the importance of cloud services and the potential impact they may have in the securities industry, as well as the financial, reputational, and legal risks posed by the use of cloud services. Board-level oversight and thoughtfully developed regulatory, oversight and contracting policies, processes, and control functions associated with the adoption and deployment of cloud services are rapidly becoming industry standard and help to ensure that cloud services are adopted with an appropriate focus on existing regulations and risks to firms and their customers.
In the event FINRA determines further regulation or guidance is appropriate and necessary in the future, we encourage FINRA remain mindful of the challenges presented by the regulatory and contracting ecosystem, as further discussed below. In light of the rigorous existing regulatory landscape, and the significant impact vendors can have on firms’ ability to develop compliant contracting practices within the cloud services ecosystem, a principles-based approach to further guidance on cloud may be appropriate. FINRA may continue to assess and clearly identify potential harms to be abated and empower firms to find appropriate, relevant, risk-based solutions. Focusing on risks and outcomes will allow firms to be flexible and pragmatic in response to the evolving challenges posed by the procurement of cloud services and permit FINRA to remain agile in its oversight of critical risks cared for by existing regulations.
Our comments below address FINRA’s request for comments on the Cloud White Paper, “including areas where guidance or modifications to FINRA rules may be desired to support cloud adoption while maintaining investor protection and market integrity” (p. 15). While we believe issuing additional guidance or modifying FINRA rules is not necessary at this time (as broker-dealers in the securities industry are already subject to complex and comprehensive regulations relevant to cloud services, noted in the Cloud White Paper (p. 12)), we wish to acknowledge a number of points on which FINRA’s and SIFMA’s views appear to align, as well as provide additional perspective on certain challenges SIFMA has noted in its examination of similar services and in its conversations with its members regarding the adoption of cloud services.
FINRA’s recent Cloud White Paper provides a thorough and comprehensive overview of many of the challenges facing broker-dealers at various stages of their cloud adoption and migration journeys. The Paper captures and explains many of the experiences SIFMA members have reported, and it highlights many of the risks and benefits that cloud services offer our members and other firms within the industry. Broker-dealers continue to work with the cloud services providers to ensure cloud services delivery align with the business practices of and regulatory requirements within the industry. At times, however, cloud services providers engage in practices and adhere to customs that create new challenges to broker-dealers, particularly around disclosures of business continuity practices and flexibility relating to certain record-keeping and data access and retention requirements. SIFMA welcomes the guidance and clarity the Cloud White Paper provides around current challenges and risks, as well as existing regulatory requirements, firms must address when utilizing cloud services. The current range of regulations and regulatory guidance provide robust and extensive safeguards requiring complex relationships between firms and service providers maintaining a delicate balance between flexible, scalable, and resilient services provision within the range of required safety measures and regulatory demands. SIFMA encourages further exploration into the issues and a continued open dialogue with the industry.
1 SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our members, we advocate for legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).
2 Cloud Computing in the Securities Industry (August 16, 2021), https://www.finra.org/rules-guidance/key-topics/fintech/report/cloud-computing.