Email: This email address is being protected from spambots. You need JavaScript enabled to view it. CONTACT US    icon-linkedin  icon-twitter  icon-linkedin  LOGO ICON slideshare  icon-linkedin






 Jointly presented by


ACCA.logo 2014 small       fia-new-logo  

and supported by: 

LOGO Equinix2gt logo  


The ACCA and the Futures Industry Association Japan (FIA Japan) co-hosted a discussion in Tokyo on 1 Nov 2016. The evening’s discussion was in three parts: first, key regulatory updates from the US and from Asia Pacific, followed by a focus on Japan’s regulatory landscape most pertinent to Japan’s financial services industry (FSI), and finally, an open discussion on the business risks to FSIs moving to cloud, and the regulatory approaches which have been taken to manage both the risks as well as technology compliance requirements. 


     japanfsi1   japanfsi2




The programme started with a review of Japan FSI cloud technology usage by Atsushi Miyawaki from KPMG Consulting. A key observation he made was that the use of cloud computing for mission-critical systems was almost none for public cloud, and relatively low for private cloud deployments. The usage of cloud increases as the perceived “risk” to the FSI’s mission decreases (see Figure 1 below).



Figure 1: Current State of Cloud Computing by Japanese Financial Institutions (source: KPMG Japan)


This was followed by a review of Asia Pacific’ FSI regulations, and how “cloud friendly” they are (see Figure 2.) This was led by Lim May-Ann from the Asia Cloud Computing Association. She shared that over the last year, there have been several notable updates, changes, and consultations in Asia Pacific which show that regulators are making some effort to accommodate technology changes and the introduction of cloud computing, e.g. South Korea’s banking and securities regulators updating the technology use guidelines specifically for cloud computing usage; also the changes in outsourcing policies from the financial regulators in Australia, Singapore, and Hong Kong, with the Reserve Bank of New Zealand (RBNZ) currently holding public consultations on this as well. 



Figure 2: Summary Assessment of all Asia Pacific Economies Against the ACCA’s Five Cloud Regulation Recommendations for the Financial Services Sector


Koichi Ohashi from venue host Greenberg Traurig LLP then introduced Lori S Nugent, and Jonathan A. Beckham, who in a pre-recorded video message, presented the US regulator’s concerns around cyber risks to the financial system when FSIs move to new technologies such as cloud, and how FSIs could put in strong risk management systems to reduce this business risk to the organisations.




 Part II: FSI and Cloud Computing Use in Japan

The discussion then turned to a focus on cloud-specific regulations in Japan’s securities and trading sector, where Lim May-Ann from the ACCA shared the findings from a new report released by the ACCA with the support of Equinix Asia Pacific, "Asia's Financial Services: Ready for the Cloud - Securities Regulations Impacting Cloud in Japan, and 2016 Update." 


Full ACCA Japan Addendum available here - in English and Japanese

ACCA FSI2016 AddendumUpdate final Cover


The report reviewed all the key regulations impacting securities and trading companies, such as The Act on the Protection of Information, The Banking Act, The Insurance Business Act, the Financial Instruments and Exchange Act, the various Manuals for FSI institutions, and the Centre for Financial Industry Information Systems (FISC) Security Guidelines on Computer Systems. Ms Lim covered which regulations needed to be adhered to when considering cloud computing use, by overlaying Japan’s regulations with ten key principles for cloud computing use in the financial services sector (see Figure 3 below.) 


japanfsi6Figure 3: Ten key principles for mitigating risks and improving cloud computing use in the financial services sector


An important update on the upcoming scheduled update to Japan’s Data Privacy Act was then covered by Koichiro Ohashi from Greenberg Traurig. Mr Ohashi focused on major amendments which would be made, especially the changes which would impact cross-border data flows. These updates were met very positively by audience members, many of whom were from multinational companies who may need to share information between local and foreign branches of their companies.


            japanfsi7     japanfsi8


Part III: Panel Discussion on Cloud Risks and Rewards in the FSI Sector

The evening’s discussion was rounded up by a panel discussion on how to balance the risk with rewards of FSIs moving to cloud computing. Moderated by Lim May-Ann of the ACCA, the panel featured Pieter Franken, Executive Director of the Monex Group; John Knuff, Senior Vice President and Global Head of Payments from Equinix; and Masakazu Narita, Senior Customer Compliance Director with Microsoft Japan.

Four main topics were discussed:

  1. FSI issues and concerns when implementing cloud computing. Here panellists agreed that FSIs should not move to cloud computing for its’ own sake, but rather seek to fulfil a business purpose when moving to cloud – e.g. more better efficiency, or to improve business continuity. This will better justify the cost and issues of moving to cloud when the inevitable unexpected issues arise when migrating and updating to cloud.
  2. Global harmonization of laws and regulations? Despite work done at the OECD and APEC levels, true harmonization of laws and regulations around technology use and privacy laws looks unlikely, especially since FSI regulations are still jurisdictionally-based. Panellists advised the audience not to wait for harmonization to happen, and to deploy public cloud where possible. With new technologies like containerization and better disaster resilience services offered by cloud computing, there is a strong argument to be made to moving to cloud.
  3. Recent regulatory engagement. All panellists have been engaged with regulators in the scope of their jobs, be it in Japan, or on an international basis. They all agree that with new technology, there is a greater need for regulators and industry to share information, especially in new sectors which need to be nurtured with conducive “balanced risk-taking” regulation, such as the fintech sector. All panellists also agreed that they have seen small actions where the financial regulators have started to reach out for specific industry advice such as that around cybersecurity for FSI.
  4. Balancing cybersecurity surety with regulator’s role in risk management. Panellists observed that there have been some prescriptive regulations which have emerged recently around cybersecurity, such as the CFTC’s cybersecurity rules, which prescribe that the organisations under their purview must conduct five (5) sets of cybersecurity testing: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk assessments. They felt that while there was a need to ensure resilient and available systems, international standards for cybersecurity such as those released by the ISO could be leveraged to ensure international compliance.

Panellists also observed that there were some FSIs who needed to take better steps in ensuring that the role of the Chief Information Security Officer (CISO) was credibly staffed. There was a need to ensure that the CISO role has someone in place who is responsible for ALL security in the FSI, and not just technology cybersecurity.

The panel concluded with panellists advising the audience to “get off the sinking ship of old technology”, and to embrace cloud computing as it is the “ultimate incubator of innovation.” The audience was advised to avoid being left behind, and to adopt cloud computing to “help your company and country be more agile.”


The evening ended with a round of networking drinks, where audience members and all discussants had the opportunity to meet and chat informally.


For more information regarding upcoming research projects please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it.