2. Nobody Says You Can’t
Use Cloud Computing
• Regulators don’t talk about the Cloud
• Regulators about what you must do
• You must protect client data
• You must protect against fraud
• You must complete computations in time
3. Auditors Interprets
Rules
• Auditors (internal and external) ensure
compliance with regulations
• They follow best practice guides
• Violating guides requires strong IT
leadership
• You can do it, but your CIO better have a
lot of political capital built up!
5. Example: Client Data
• Applies to client or counterparty data
• Could use S3 to store and EC2 to process
• Best Practice is that your data never leave
your premise
• And you audit all access internally
• And your data centre is completely
secure
• What about extrusion?
6. Example: Risk Runs
• BASEL limits set by overnight risk runs
• Risk runs must complete by a given time, or
you can’t trade
• What if it turns out Amazon IS finite?
• What if the market explodes at once?
7. Example: Fraud
• Must prevent nefarious teams from
injecting P&L related code
• Must audit all injection vectors
• How can you do that in the cloud?
8. Conclusion
• Regulations don’t directly limit Cloud use
• FSA doesn’t understand Virtualization
• Interpretation of regulations implicitly
restrict cloud use
• Until compliance and audit teams
understand new best practices, adoption
will be limited