2016 CLOUD COMPUTING SERVICES: USAGE BY THE FINANCIAL SERVICES INDUSTRY
BUSINESS MODELS AND REGULATORY APPROACH
1 NOV 2016, TOKYO, JAPAN
Jointly presented by
and supported by:
The ACCA and the Futures Industry Association Japan (FIA Japan) co-hosted a discussion in Tokyo on 1 Nov 2016. The evening’s discussion was in three parts: first, key regulatory updates from the US and from Asia Pacific, followed by a focus on Japan’s regulatory landscape most pertinent to Japan’s financial services industry (FSI), and finally, an open discussion on the business risks to FSIs moving to cloud, and the regulatory approaches which have been taken to manage both the risks as well as technology compliance requirements.
PART I: CLOUD COMPUTING USE AND FSI REGULATIONS AROUND THE WORLD
The programme started with a review of Japan FSI cloud technology usage by Atsushi Miyawaki from KPMG Consulting. A key observation he made was that the use of cloud computing for mission-critical systems was almost none for public cloud, and relatively low for private cloud deployments. The usage of cloud increases as the perceived “risk” to the FSI’s mission decreases (see Figure 1 below).
Figure 1: Current State of Cloud Computing by Japanese Financial Institutions (source: KPMG Japan)
This was followed by a review of Asia Pacific’ FSI regulations, and how “cloud friendly” they are (see Figure 2.) This was led by Lim May-Ann from the Asia Cloud Computing Association. She shared that over the last year, there have been several notable updates, changes, and consultations in Asia Pacific which show that regulators are making some effort to accommodate technology changes and the introduction of cloud computing, e.g. South Korea’s banking and securities regulators updating the technology use guidelines specifically for cloud computing usage; also the changes in outsourcing policies from the financial regulators in Australia, Singapore, and Hong Kong, with the Reserve Bank of New Zealand (RBNZ) currently holding public consultations on this as well.
Figure 2: Summary Assessment of all Asia Pacific Economies Against the ACCA’s Five Cloud Regulation Recommendations for the Financial Services Sector
Koichi Ohashi from venue host Greenberg Traurig LLP then introduced Lori S Nugent, and Jonathan A. Beckham, who in a pre-recorded video message, presented the US regulator’s concerns around cyber risks to the financial system when FSIs move to new technologies such as cloud, and how FSIs could put in strong risk management systems to reduce this business risk to the organisations.
Part II: FSI and Cloud Computing Use in Japan
The discussion then turned to a focus on cloud-specific regulations in Japan’s securities and trading sector, where Lim May-Ann from the ACCA shared the findings from a new report released by the ACCA with the support of Equinix Asia Pacific, "Asia's Financial Services: Ready for the Cloud - Securities Regulations Impacting Cloud in Japan, and 2016 Update."
The report reviewed all the key regulations impacting securities and trading companies, such as The Act on the Protection of Information, The Banking Act, The Insurance Business Act, the Financial Instruments and Exchange Act, the various Manuals for FSI institutions, and the Centre for Financial Industry Information Systems (FISC) Security Guidelines on Computer Systems. Ms Lim covered which regulations needed to be adhered to when considering cloud computing use, by overlaying Japan’s regulations with ten key principles for cloud computing use in the financial services sector (see Figure 3 below.)
Figure 3: Ten key principles for mitigating risks and improving cloud computing use in the financial services sector
An important update on the upcoming scheduled update to Japan’s Data Privacy Act was then covered by Koichiro Ohashi from Greenberg Traurig. Mr Ohashi focused on major amendments which would be made, especially the changes which would impact cross-border data flows. These updates were met very positively by audience members, many of whom were from multinational companies who may need to share information between local and foreign branches of their companies.
Part III: Panel Discussion on Cloud Risks and Rewards in the FSI Sector
The evening’s discussion was rounded up by a panel discussion on how to balance the risk with rewards of FSIs moving to cloud computing. Moderated by Lim May-Ann of the ACCA, the panel featured Pieter Franken, Executive Director of the Monex Group; John Knuff, Senior Vice President and Global Head of Payments from Equinix; and Masakazu Narita, Senior Customer Compliance Director with Microsoft Japan.
Four main topics were discussed:
Panellists also observed that there were some FSIs who needed to take better steps in ensuring that the role of the Chief Information Security Officer (CISO) was credibly staffed. There was a need to ensure that the CISO role has someone in place who is responsible for ALL security in the FSI, and not just technology cybersecurity.
The panel concluded with panellists advising the audience to “get off the sinking ship of old technology”, and to embrace cloud computing as it is the “ultimate incubator of innovation.” The audience was advised to avoid being left behind, and to adopt cloud computing to “help your company and country be more agile.”
The evening ended with a round of networking drinks, where audience members and all discussants had the opportunity to meet and chat informally.