New FINRA Report: Diversity of Cloud Computing Models Among Broker-Dealers Raises Opportunities and Challenges for the Securities Industry
FINRA Requests Comments on Report
WASHINGTON—A diversity of cloud computing models is transforming how broker-dealers operate, with the potential to enhance agility, efficiency, resiliency and security within firms’ operations, while also highlighting the importance for firms to consider relevant regulatory factors for maintaining investor protection and market integrity, according to a new research report from FINRA.
The report, “Cloud Computing in the Securities Industry,” was issued by FINRA’s Office of Financial Innovation (OFI) following a review of nearly 40 broker-dealer firms, cloud service providers, industry analysts and technology consultants, to better understand the implications of cloud computing on the securities industry.
FINRA also requested comments on the report, including areas where guidance or modifications to FINRA rules may be desired to support cloud adoption while maintaining investor protection and market integrity. Comments are requested by Oct. 16, 2021.
“This report is intended to serve as a tool for our member firms and other industry stakeholders by providing information to help them learn from the experiences of others. In addition, it provides useful insights regarding the challenges and benefits associated with implementation of a cloud computing framework, from both an operational and regulatory perspective,” said Haimera Workie, Head of the Office of Financial Innovation and Senior Director at FINRA. “As broker-dealers are at various stages in their cloud computing journey—from full or partial integration, to pilot projects or not at all—many firms are seeking to explore how these technologies can be used to personalize customer experiences, analyze larger amounts of data faster and increase their competitiveness in areas of rapid innovation.”
During discussions with market participants, several common themes emerged:
- The use of Software as a Service (SaaS) products was prevalent. Many firms, particularly smaller firms, used off-the-shelf SaaS cloud products for non-core business functions, such as email systems, customer relationship management, financial accounting and human resources operations.
- Roll-outs of cloud infrastructure tended to be targeted, incremental and iterative. The majority of firms took a measured approach instead of launching a wholesale migration of the business to the cloud, acknowledging the need for project modifications, specialized skills and training, and measuring financial impact.
- Firms focused heavily on governance, cloud security and training. Firms noted it was important to develop governance and cloud security policies and procedures to safeguard data and systems, often leveraging enhanced security protocols in the cloud environment.
- Organization and cultural changes often accompanied cloud adoption. Optimizing cloud capabilities required changes in the way people work—ensuring greater responsiveness to business needs and enhanced time-to-market capabilities. Cloud adoption often coincided with firms’ reassessing their areas of technology expertise, frequently with existing staff being re-trained or acquiring new staff with cloud expertise.
“As adoption of the cloud continues to grow, firms are finding clear benefits, but also potential challenges,” Workie added. “We encourage broker-dealers to conduct their own assessments of the implications of cloud computing, based on their business models and related use cases, and share those learnings with us.”
Regulatory factors for those operating or migrating to the cloud to consider include:
- Cybersecurity. Firms cite cybersecurity as a potential benefit to cloud computing, due to the many security features available in a cloud environment, but there are challenges in making sure their systems are appropriately configured for security on the cloud.
- Data privacy. If a firm’s cloud adoption leads to changes in how it collects, stores, analyzes and shares sensitive customer data, firms may need to update their policies and procedures related to customer data privacy.
- Outsourcing/vendor management. Outsourcing an activity or function to a cloud service provider or other cloud vendor does not relieve firms of their ultimate responsibility for compliance with all applicable securities laws, regulations and FINRA rules.
- Business continuity. Firms are required to create, maintain, annually review and update written business continuity plans relating to an emergency or significant business disruption.
- Recordkeeping. Firms should be aware of their recordkeeping obligations when assessing any recordkeeping products or services offered by their cloud providers.
FINRA is a not-for-profit organization dedicated to investor protection and market integrity. It regulates one critical part of the securities industry—brokerage firms doing business with the public in the United States. FINRA, overseen by the SEC, writes rules, examines for and enforces compliance with FINRA rules and federal securities laws, registers broker-dealer personnel and offers them education and training, and informs the investing public. In addition, FINRA provides surveillance and other regulatory services for equities and options markets, as well as trade reporting and other industry utilities. FINRA also administers a dispute resolution forum for investors and brokerage firms and their registered employees. For more information, visit www.finra.org.