Google Cloud Platform Bends to Regulation at SLA Level

As financial regulators bring cloud providers under increasing scrutiny, Google Cloud Platform (GCP) is taking an industry-specific approach to service-level agreements, GCP’s vice president of engineering has said.

“Regulators care about what kinds of contracts these banks are signing,” Suzanne Frey said at the Google Next conference in London, in response to a question from WatersTechnology.

Frey said Google Cloud has taken a “multi-pronged” approach to its service-level agreements to make them relevant for each industry and, in the case of financial services, fit them to local regulations.

“We have tweaked our contracts to be very specific to industries and even in some cases the regions in which we are working,” she said.

In financial services regulations “there are some common denominators worldwide, and there are some specific rules in different jurisdictions. So, first and foremost, we have made changes there to align with the regulatory demands,” Frey said.  

GCP has written audit rights into its contracts, for example. This reflects regulations such as the EU guidelines on outsourcing that were updated this year and demand that outsourcing contracts set out the rights of users to audit providers’ premises, including devices, systems and networks.

“We have been working with financial regulators in Europe and worldwide on engagement and audits to expose the full depth of our operations, how we handle information, how we handle business continuity, and the like. And then we are continuing to invest in various compliance regimes,” she said.

Another concern of regulators is portability—the ease with which data can be moved from one cloud provider to another. Logistically that is not a difficult task to undertake, but service providers don’t want to make it too easy for clients to be able to break contract and move to another provider. Regulators are trying to get cloud providers to ensure that their service-level agreements with users don’t hinder the portability of data.

Frey said she understands and respects concerns about portability, but noted that cloud providers are already prepared for outages and prior regulation.

“All the major cloud providers have invested in business continuity and in really, really strong, reinforced infrastructure worldwide. I understand where the pressure for these exit plans is coming from … but fundamentally all of us have to be compliant with GDPR [the EU’s General Data Protection Regulation] and ensure portability anyway.”

Frey said increasing numbers of financial users are starting to use Google Cloud. The tech giant entered the cloud business later than Amazon Web Services and Microsoft with its Azure business, and still has a market share in the single digits. However, research firm Canalys says GCP is the fastest-growing business of the three, up 90% year on year in 2019. 

Most financial firms rely on at least one of these three providers for cloud services, and this so-called concentration risk is worrying governments and supervisory authorities. The EU outsourcing guidelines, for one, are partly intended to help regulators monitor the industry’s over-reliance on a small handful of service providers. The Bank of England has even said that certain aspects of cloud providers’ businesses could one day fall under direct supervision.