Off in the Clouds, Legally Speaking
September 27, 2010
You can put compliance into your computing cloud. But the cloud can't do the compliance for you.
That is the summation of Richard T. Sharp, a partner at Milbank, Tweed, Hadley & McCloy LLP, New York, who got the tough job of being the last speaker at Monday's High Performance Computing conference at the Roosevelt Hotel in New York. And took full advantage of his opportunity to toss cold water on the audience that remained to hear him out.
Sharp was trying to make sure that technologists don't go off into the clouds of computing, without thinking first about the regulatory and legal implications of putting specific tasks onto servers they don't keep in-house and don't directly control.
Whether it's a mutual fund company, broker-dealer or an investment bank looking to control costs and increase flexibility through cloud computing, he had a simple message: Stop and think.
Before you get started. Whether it's cost-basis reporting, XBRL, proxy solicitations, 12b-1 fees or revenue-sharing-figure out what specific regulations are going to apply to your project.
Otherwise, you're going to get down the road, get the cloud connection up and running, move your functions off-premise-and inevitably hit a legal or regulatory roadblock that you could easily have anticipated, in advance.
Let's say you've moved dividend processing into the cloud. And something happens. Shareholders don't get their checks. Who's gonna get the call? Your service provider? Not hardly.
Corporate notices not getting to clients? Who's gonna get the call? You.
Valuations out of whack? Account details missing? You get the idea.
But in the end, if the service provider fails, it doesn't matter. The enforcement division will be asking you to defend what you did.
So make sure you have solid service-level agreements with service providers, clear governance processes, access to books and records, surveillance and exception reports and audit and inspections rights.
No matter what goes into the cloud, you remain responsible for compliance.
Otherwise, Sharp said, "when the cloud bursts, the system will fail, and you, the user, will end up in jail."