Helping U.S.-based financial services firms manage third-party due diligence requirements when using Google Cloud

Financial services institutions increasingly rely on external service providers for a variety of technology-related services, including cloud computing. This trend materialized as firms recognized the value in focusing on their core competencies while using third party solutions to gain business, operational, security, resiliency, and other efficiencies. As the financial services sector is one of the most heavily regulated, firms need to carefully consider which third parties they engage and for what types of services, as they remain ultimately accountable for the performance of such services in the eyes of both their customers and regulators. 

In the United States, financial services institutions may be regulated by a number of regulatory bodies whose remits are broadly defined by jurisdictional reach (such as federal or state jurisdictions), the type of business they regulate (including banking, capital markets, commodities, and derivatives), and the services that they provide. Collectively, the regulatory guidance and requirements seek to ensure that financial services institutions have implemented reasonable and appropriate risk management programs to guide the selection and ongoing monitoring of third party-provided tools and services such as Google Cloud.

Google Cloud understands that financial services institutions are held to high standards for the privilege of operating within the financial services ecosystem, and to continue to do so, must abide by the rules and regulations that contribute to the bedrock of maintaining trust and confidence in the U.S. financial markets. We recognize the scrutiny to which financial services firms are subject in performing robust vendor due diligence and support customers in their comprehensive assessments of relevant Google Cloud policies, processes, and technical implementations in various ways. 

In our FSI Migration paper, we detail the due diligence regulatory considerations that U.S.-based financial institutions should consider when migrating to Google Cloud. These requirements include third-party governance, onboarding, and continuous oversight.We’ve highlighted a snapshot of these below. 

Cloud service provider governance 

U.S. financial services regulators require financial services institutions to implement risk-based programs to guide the selection of cloud-provided tools and services, and their ongoing monitoring. However, they recognize that one size does not fit all, and have woven this messaging throughout their guidance documents, regulatory notices, and published examination observations. 

Firms in financial services are encouraged to take reasonable measures to evaluate and mitigate their risks. In that vein, they must structure their third party risk management programs to include cloud service providers (CSPs) and based on considerations, including, for example, the materiality of the services they provide, the availability of viable alternatives, and the degree of physical and logical access the third party may have to the firms’ systems and premises. These considerations, among many others, are typically evaluated by the relevant governance committee relative to the firm’s risk appetite and overall business strategy. 

In defining and establishing their due diligence governance programs, financial services firms should typically: 

• Engage stakeholders across functions to inform a multidisciplinary approach  

• Enable senior management engagement and visibility to the Board of Directors 

• Identify relevant rules, regulations, guidance and regulatory expectations for effective cloud provider oversight, which in turn drive the determination of requisite controls 

• Conduct recurring reviews that assess the third party’s financial condition, reputation, operational and technical controls, and contractual obligations 

• Ensure the third party’s performance is in line with the agreed-upon expectations

• Establish an escalation process for potential issues and a mechanism for exiting the relationship, if necessary

The Google Cybersecurity Action Team is often engaged on this topic and provides strategic advisory, trust, and compliance services to customers seeking to streamline their risk management programs in line with broader cloud governance and digital transformation efforts. 

Onboarding and continuous oversight of cloud providers

After selecting and onboarding your cloud provider, and throughout the relationship, FSI regulators expect ongoing risk assessments and oversight, with a focus on the implementation of processes and controls to:

• Ensure the security and confidentiality of customer data

• Guard against threats to the integrity of customers’ information

• Prevent unauthorized access to, or manipulation of, customer records

• Plan for business continuity and disaster recovery

• Handle potential outages and incidents

• Fulfill regulatory recordkeeping obligations

Google Cloud is committed to operate in a shared fate model for risk management in conjunction with our customers. Google Cloud’s Trust Center outlines our principled approach, as well as our security, compliance, data privacy, transparency, and resiliency commitments that customers can expect when working from us, that are also routinely independently audited. One way of providing visibility into Google’s compliance and controls is through the many industry-recognized certifications and attestations which Google Cloud has earned, and the independent assessment reports which are regularly updated and customers can access directly. 

Google Cloud also partners with third party risk management exchanges that enable an additional layer of validation, helping customers gain efficiencies by utilizing comprehensive, standardized reports of controls that address regulatory requirements and expectations in lieu of bespoke, manually-executed questionnaires. Additionally, Google Cloud has dedicated teams supporting customer risk management and due diligence programs that provide financial services institutions with even greater transparency when exercising their audit rights. 

These are by no means an exhaustive list, but are intended to be illustrative in articulating Google Cloud’s continued commitments to customer security and data protection, as seen through the lens of a vendor due diligence program. 

Further reading

Google Cloud has various resources available to guide customers through the process of understanding how Google Cloud meets applicable due diligence requirements. For further reading, refer to the following: 

• Our FSI Migration To Google Cloud whitepaper

• The mapping of Google Cloud and Google Workspace to each of the FDIC, Federal Reserve, OCC, SEC, and FFIEC Outsourcing Guidelines 

• Our Compliance Offerings page provides additional information on Google Cloud’s certifications and compliance capabilities