Material Outsourcing to the Public Cloud: Identifying Sub-Processors for the Big 3

Published By Ben Saunders - OpRes Founder

Roughly a 2-minute read

Late last night, I received a handy little update from Google that highlighted several changes in their list of approved sub-processors that operate as third-party suppliers across the suite of products on GCP. 

Curiously, I quickly checked both AWS and Azure for similar material and quickly identified their respective responses as well. With a heightened focus from regulators around material outsourcing of critical technology functions to the public cloud, I thought it would be useful to share these links with our readership. 

In addition, we’ve also posted some useful links which will help firms build an evidence-based response to regulators regarding their adoption of the public and specifically, how they intend on managing factors across their operational resilience agenda. 

AWS: Head over to AWS’s website to see a breakdown of its subprocessors across their cloud service landscape. AWS has seen a plethora of firms launch digital products on their cloud platform in the last 24 months and this handy microsite provides insights into how firms are building new digital banking propositions at speed. 

In addition, AWS has created AWS Artifact to store and host the documented evidence associated to complying with regulations like PCI and SOC, amongst others. 

Finally, AWS published this blog which discusses how their higher-level services can be used to comply with the EBAs’ guidelines around material outsourcing to the public cloud. This is also expanded on in their shared responsibility model framework. 

Google: Now to the instigators for drafting this blog... Google has reported some big wins in recent months with the likes of Lloyds Banking Group, HSBC, and Deutsche Bank opting for them as one of their chosen cloud service providers. You can find a Googles list of approved sub-processors for GCP here. Whilst we also found this really handy mapping of the EBA’s cloud outsourcing guidelines and Google’s corresponding responses. 

Microsoft: Microsoft has been an established partner in the financial services sector for decades. They have very deep-rooted relationships with many of the worlds leading financial institutions. As such, it is no surprise to see that they have their house in order when supporting customers with the right material to respond to these needs. You can download a list of their approved sub-processors here. In addition, they have created a useful document that discusses the myths and truths associated to exit planning with a cloud service provider. Whilst this document is aimed towards Azure-based services, many of the concepts are transferable to other cloud service providers. Last but by no means least, you can find Microsoft’s approach to complying with the FCA’s updated cloud guidance here.

Feel free to get in touch with us here at OpRes if you have any questions about these regulatory policies or how we are assisting firms with their operational resilience programs and responses. As well as addressing their shifts to the public cloud and this growing perception of concentration risks across the financial services sector. 

We hope these links are useful for you and your team’s efforts over the next 6-months and beyond! 

Thanks for reading,

Ben