In the last few years two major pieces of regulation have shaped the digital transformation of Financial Services. These are the Second Payments Services Directive (PSD2) and General Data Protection Regulation (GDPR).

PSD2 is requiring all EU banks to provide customer data APIs. This requirement enables the creation of many innovative banking propositions and establishes the principle that customer data held by the banks belongs to the customer and that they (the customers) have the right to share it with whomever they choose.

GDPR regulates how customer data is collected, used and shared. It also establishes that the ownership of the data resides with the customer and that they need to give informed consent to its use. Both are possibly clumsy pieces of legislation, but they have achieved a lot in transforming how not just EU firms, but companies across the world, treat customer data. Digital and financial firms that want to serve the EUs 446m people - some of the wealthiest customers in the world - have had to adapt to these regulations. This has led to changes across the globe.

In the US we are seeing banks spontaneously providing APIs to their customers’ data. There is no federal data protection law comparable to GDPR, but local advocacy groups have grown increasingly active on the subject and some States have responded - the California Consumer Privacy Act (CCPA) is a good example of a US GDPR equivalent.

A new wave of regulation is about to start from Brussels and will eventually reach all global markets. It's called DORA (Digital Operational Resilience Act). It was presented by the EU Commission on 24 September 2020.

DORA is a proposal for Regulation of digital operational resilience for the financial sector that aims to harmonize how ICT risks are regulated in the EU financial services ecosystem. This regulation is not yet active but we can expect it to go live in some form after 2023.

Not being a legal or regulatory expert, this is a layperson's understanding of what DORA aims to achieve. In summary its scope is to consolidate and rationalise some of the other EU regulations addressing risks associated with financial institutions use of ICT. It has four overarching objectives:

1. Strengthen the ICT risk management

2. Standardise resilience testing and monitoring

3. Harmonise information sharing and incident reporting

4. Extend ICT regulation to all parties involved

DORA aims to achieve these outcomes:

STRENGTHEN THE ICT RISK MANAGEMENT

The introduction of DORA aims to ensure that bank senior executives are directly responsible for ICT risks. It will no longer be possible to delegate the responsibility down the hierarchy of the organisation. The entire leadership will need to own, understand and manage ICT related risk. The whole board and not just the CTO will be responsible. This will require for the leadership of the bank to make sure that the risks inherent ICT risks are understood across all areas of the bank and that all divisions and individuals realise their roles in managing such risks. The leadership of the banks and other EU financial services organisations will need to set the rules, establish supervisory frameworks, define the right mitigating measures and importantly set the right tone across all business areas to make prudent ICT risk management possible across the firm.

DORA expects that the leadership of every regulated institution to own the responsibility of steering ICT Risk management on an ongoing basis - making the supervision, monitoring and responding to ICT related issues an executive responsibility.

This will require bank leaders to be well informed and up-to-date on potential ICT developments and risks. This will make continuous training and upskilling of bank leaders a real priority going forward.

STANDARDISE RESILIENCE TESTING AND MONITORING

Regular testing regimes of the financial services firms will need to be strengthened and expanded. Most have had resilience testing and monitoring processes in place for some time. The EU regulators believe that these need to be upgraded.

Most banks begin the process by trying to define potential risks and select the ones that they feel need monitoring. They then design and implement policies that identify and mitigate these risks. These policies are used to monitor the risks, quantify the impact and to respond to any threat based on these assessments. This approach allows them to refine their approach and to improve on their identification and mitigation strategies.

As every bank seems to have a different approach to resilience testing. DORA will require that all firms must put in place comprehensive testing programmes that meet a minimum set of requirements. These will have to be tested regularly and include large-scale threat-led live penetration tests every 3 years to be performed by independent third parties. It is proposed that the testing programmes and threat scenarios will have to be agreed with the regulator in advance and firms will receive a compliance certificate upon completion of the test.

The testing will also need to disclose critical ICT third parties which means that they will also need to be involved and accountable in the preparation of the testing programme.

HARMONISE INFORMATION SHARING & INCIDENT REPORTING

One of the more interesting new requirements introduced by DORA is the requirement to enhance Incident reporting and intelligence sharing. Today existing regulation requires that any ICT incident that impacts a firm’s ability to fulfil its activities needs to be reported to all affected parties. These include customers that are impacted or could have been impacted, counterparties that were in any way affected by the incident, the wider public and of course the regulators.

DORA proposes a standard incident classification methodology with a set of specific criteria. The actual thresholds for these criteria have not yet been defined. In due course, an assessment rating will be established to define what DORA calls “Major” incidents.

These will have to be reported to the regulator as soon as they are detected (same day). The reports will be shared anonymously with other players in the industry. Regulated firms will need to align their resilience testing and monitoring with the newly identified risks even if these have not affected them directly.

DORA also introduces the concept of Intelligence Related Reporting. This requires that regulated firms report any vulnerabilities and threats that they may have identified - even if these do not result in an incident.  This aims to promote sharing of information and intelligence on cyberthreats even if these do not result in an incident. DORA establishes the requirement that these findings are reported into a centralised structure that will operate as a hub where firms are made aware of potential risks even before they are actually affected by them.  

EXTEND ICT REGULATION TO ALL PARTIES INVOLVED

DORA wants to ensure in addition to the financial institutions, critical third parties (CTTP) involved in the provision of services to regulated entities are also regulated. This will introduce broader regulatory requirements on financial organisations and will add new ones to the ICT services providers in the EU concerning the services they provide to financial services firms.

Regulated financial organisations will need to define risk strategies and policies for every CTTP they engage - the responsibility for their implementation and supervision will be owned by a member of the senior management body. DORA’s new Oversight Framework, will see CTTPs assessed against a number of parameters. These include but are not limited to: security, risk management processes, governance, reporting, testing procedures, service continuity, data integrity and more. The detailed requirements and enforcement of parties covered by DORA will be provided at the national level by the national regulators. These new requirements will have to be coordinated with all other relevant regulators.

Firms covered by this intensified regulatory regime proposed by DORA will include:

• FINANCIAL INSTITUTIONS such as Banks, Credit institutions, Payment institutions, E-money institutions, Investment firms, Insurance firms and Pensions.

• INFRASTRUCTURE PROVIDERS such as: Trading venues, Clearing Houses and Central securities depositories

• FINTECHS & OTHER INNOVATORS such as Crowdfunding service providers, Crypto-asset service providers, Issuers of crypto-assets and Issuers of asset referenced tokens

• DATA & SERVICE PROVIDERS such as Data reporting providers, Credit rating agencies, Auditors, Securitisation repositories and Administrators of critical benchmarks

  And...

• CRITICAL THIRD-PARTY PROVIDERS such as Digital and data services, Cloud computing services, Software Providers, Data analytics services and Data centres. For the latter it is essential to note that the scope of DORA is limited to their activities related to financial entities.

Interestingly, for now at least, Payment Systems, Card Payment Schemes & System Operators seem to be out of scope for DORA.

On 9 February 2021, the Chairs of the other European Supervisory Authorities ESAs the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) (collectively the ESAs) published a joint letter offering their conditional support the initiative. In this letter they stated their view that DORA will “streamline and strengthen the existing patchwork of relevant provisions across EU financial services legislation” and enhance “collaboration and collaboration among authorities within EU and internationally”.

DORA will be discussed and negotiated by the EU Parliament and the European Council in the coming months. However, based on similar experience and proposals (such as the General Data Protection Regulation) or other financial sector files, a final act is not expected before 2023.

DORA is the next big thing in financial services regulation - and not just for the EU. The impact on the financial services providers is potentially substantial. Banks and financial institutions will have to dedicate a lot more attention to ICT risks, senior management will be held accountable for breaches and shortfalls.

Responsibility for measures such as testing regimes and contingency plans will have to be escalated much higher up the organisation than today. Finance houses will need to have a much deeper coordination with their ICT providers when defining their own monitoring, testing and resilience plans.

Interestingly, DORA recognises that the regulatory requirements from the bigger banks and institutions with millions of customers and billions of assets cannot be the same as those required from FinTechs. These can expect a slightly lighter regulatory supervision.

ICT providers would be directly responsible to regulators for the services that they provide to banks and financial services organisations. They will have to develop a much deeper understanding of how their clients are using their products and services. This will initially be costly but it will create opportunities of much deeper engagement with their financial services clients in need of upgrading their financial resilience.

The impact on national regulators is also potentially considerable. They will need to step up their capabilities, so we will see a large push across the EU in regulators seeking to acquire ICT knowledge and capabilities. This is probably good news for ICT firms and specialist advisory firms.

The big winner of DORA will be the markets and the banks’ customers. They will see better financial products, less exposure to ICT risks and overall greater stability. And considering the competitiveness of the global banking sector, It is unlikely that any additional costs passed on to them will outweigh the benefits of a safer banking infrastructure.

One last word of caution to all involved:  best be prepared.