When Good Intentions Go Bad – Regulators and Cloud

Date: May 17, 2016

Cloud computing symbol representing data resources accessible with a computer and an internet connection.Regulators are often, to quote one of my old bosses when referring to his boss, unencumbered by reality. Their detachment from the practical application of their ideas has been especially apparent in the past few years as Dodd Frank and other post-crisis regulations have come into effect.

Just look at what happened with Money Market Reform. The SEC gave the industry nine months to prepare for Form N-MFP, modified it a few times in the months leading up to and after the first filing, made massive modifications to the form a few years after it was initially filed, modified the specifics of the revised filing four times in the four months leading up to the first filing in April 2016, and will change it again for the October 2016 filing, all while mandating a floating NAV. Form PF filers have had a similar experience.

Believe it or not, compared to European regulators, the SEC is a paragon of reasonableness.  In late 2013, the Central Bank of Ireland gave the industry six months of notice to begin filing the Resident Money Market and Investment Funds Return (MMIF), changed it three times in the six month period between the final rule and the first filing, and in the past two years has modified it another 8 times. More recently, the Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg also gave the industry just six months to begin filing U1.1 in June of this year.

If 21 years in the asset management industry has taught me anything, it is that convincing regulators to be reasonable is a fool’s errand. Your best bet is to deal with the reality that regulators will do things on their timetable, not yours. Deal with the reality that things will change early and often – that you will need to be able to respond quickly.

One of the best ways to do this is to leverage SaaS technology. For those of you who don’t know what that is, SaaS is the non-scary, or perhaps less scary, word for Cloud. Using the Cloud for regulatory filings makes them less costly, significantly reduces the implementation time and effort, and allows filers to adjust to the many regulatory changes at minimal cost and without sacrificing other IT projects. When used properly, it has the potential to transform the major hassles of the preceding paragraphs into minor bumps in your road to regulatory compliance.

Unfortunately, the Cloud is also a cybersecurity boogeyman, conjuring up an undeserved image of evil, long-haired, goatee-sporting hackers gleefully rolling around in a bed full of ill-gotten client data. Through good-intentioned cybersecurity monitoring, regulators have discouraged the use of the Cloud, especially by the big third-party administrators. Hearing from an operations team that a SaaS solution would be great, but it will require a monumental amount of effort to convince their IT group to take on the additional – and irrational – regulatory scrutiny that Cloud brings, is not an uncommon occurrence for me.

The negative impact of discouraging SaaS technology ultimately rolls downhill to investors, the people the regulators intend to protect. Regulations are a balance between the good of consumer protection and the bad of increased cost and barriers to entry. Giving regulatory sanction to the use of the Cloud would be a great way to get around that unfortunate trade-off, a way for regulators to get most of the good with a lot less of the bad.