Offloading Compliance Responsibilities to a Vendor Still a Dream

It's a chief compliance officers' dream come true.

The CCO outsources some of his or her compliance requirements to a cloud provider to alleviate some of the stress and pressure that comes with constant regulations. The responsibility ─ and potential penalties ─ all fall on the vendor, not the firm. 

While that scenario is hopeful, it's also problematic. Can firms just sign a service level agreement (SLA) and not have to worry about a compliance requirement again?

That was a question brought up by a panel at the Chicago Trading and Technology Summit 2015 as industry experts discussed how to leverage technology innovation to manage regulation and compliance.

"Can you offload something to a cloud provider to no longer make it your responsibility, or does that just complicate matters altogether?" a member of the crowd asked the panelists.

Not the Case

While it might be nice for banks to lessen their compliance demands, the end responsibility still falls on the firm and its compliance department, according to Petar Kostur, a chief compliance officer at Chicago-based Fifth Third Bank.

Kostur said his firm does utilize outside service providers, but the bank is still responsible if anything goes wrong.

"At the end of the day, the CFTC is not going to be like, ‘Oh, I didn't realize such-and-such vendor screwed this up. You're off the hook,'" Kostur said. "They're going to be like, ‘Well, you didn't have to use them. You can't do whatever you want.' Therefore, it ends up in my pocket."

SLAs

The same attendee then asked if an SLA could be constructed in a way that would change things. What if large firms like Google or Amazon said they would be willing to step up to the plate and take those requirements off the banks' hands?

Justin Slaughter, chief policy advisor and special counsel to the office of commissioner Sharon Bowen of the CFTC, said neither of those companies has reached out to him about that possibility, although he said it would make for a fascinating meeting.

Slaughter said he wasn't aware of those tech companies even looking into creating any type of all-encompassing SLAs, but he would be intrigued by it. However, as powerful as the cloud is, Slaughter said firms should still be hesitant.

"At a time of heightened cyber risk, I do have to worry about that too," Slaughter said. "The very benefit of tech is you substantially improve trading and compliance. You also are at risk. ... Electronically, damn near anything can happen."

Marc Merrill, CCO of E.ON Global Commodities' North America-based operations, cited a recent case in which the CFTC fined a bank that was having problems with its vendor for a reporting violation. Despite the firm trying to work with its vendor, Merrill said, the vendor was continuing to submit incorrect information to the CFTC.

It's those situations that exhibit why it still comes down to firm's compliance departments at the end of the day, said Kostur.

"If the CFTC came to us and said, ‘Well, we want these voice recordings for this issue,' and the outside service provider we used said they lost it, what do I do? Besides cry," Kostur said.

The Bottom Line

• Firms' compliance departments cannot rely on vendors to take complete responsibility for compliance requirements.

• While large cloud providers offer plenty of power and cost-saving opportunities, they can't totally erase firms' compliance responsibilities.

• Firms need to understand that they are still responsible for remaining compliant, even if there is a problem with their vendor.