Exploring the Digital Operational Resilience Act (DORA) - How financial risk and ICT risk have become one
The EU's Digital Operational Resilience Act (DORA) doesn't just blur the line between financial sector firms and their ICT providers; it erases that line entirely. This change has significant implications for everyone in FinTech and banking.
Image: Unsplash
Operational risk in the financial sector
There are strong regulations in place governing financial stability for EU banking and finance institutions, not least the Basel trio. Anyone offering banking services in Europe understands the capital requirements and other rules to which they must adhere, because they apply across the board.
However, when it comes to operational risk the situation has been more patchwork, with different EU member states having different ways of defining such risk and mitigating against it.
Now that's changing. The Digital Operational Resilience Act (DORA) presents banking and financial services firms with a single set of rules that applies to everyone operating in the EU. It covers not just risk factors within a financial institution, but also applies to any Critical Third-Party Providers (CTPP) of that institution.
This is a major change. Financial service providers can now be punished for operational disruption that occurs not only due to their own internal systems but those of their ICT providers too, including cloud service providers. The expectation of operational resilience applies to all of the links in the chain.
Behind DORA is the sensible realisation that no financial institution is an island. Problems at one bank will affect other banks, problems at one FinTech company will affect other FinTech companies, allproblems will affect customers, and major problems will affect the EU's economy.
Operational resilience depends not only on financial factors such as a bank's capital reserves, but also operational ones such as its ICT framework, its website and apps, its ATM network, its ability to withstand denial-of-service attacks and so on.
Affected firms are expected to be fully compliant with DORA by January 2025. But what does that compliance entail?
The purpose of DORA
According to the legislative text, DORA aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various EU acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle all components of operational resilience. The operational risk rules, when further developed in those Union legal acts, often favoured a traditional quantitative approach to addressing risk (namely setting a capital requirement to cover ICT risk) rather than targeted qualitative rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities. Those acts were primarily meant to cover and update essential rules on prudential supervision, market integrity or conduct. By consolidating and upgrading the different rules on ICT risk, all provisions addressing digital risk in the financial sector should for the first time be brought together in a consistent manner in one single legislative act. Therefore, DORA fills in the gaps or remedies inconsistencies in some of the prior legal acts, including in relation to the terminology used therein, and explicitly refers to ICT risk via targeted rules on ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation should thus also raise awareness of ICT risk and acknowledge that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of financial entities.
Image: Unsplash
Risk assessments, incident reporting and response
DORA requires that firms carry out thorough risk assessments of their own operations and those of their critical providers, specifically identifying problems that could lead to loss of operational resilience. Regular, rigorous testing of critical systems is demanded.
There are strict criteria for ICT incident reporting: breaches, hacks, data loss, downtime, DoS attacks, ransomware, etc. Importantly, DORA requires that firms demonstrate exactly how they will recover from such issues with the minimum of operational downtime. Disaster recovery and business continuity plans must be detailed and practical, covering even natural disasters.
Strong data security measures are required to maintain customer privacy and confidentiality, a fact that may encourage some banks and financial services companies to reconsider their use of non-local datacenters, especially those in the US. Some analysts have speculated that this is intentional: in combination with other upcoming EU regulations and directives, DORA encourages the use of home-grown data storage services. Is a data-sovereign Europe part of the long-term plan? Perhaps so.
Most of these requirements should already be in place within any well-run firm, but DORA makes it explicit: this is no longer best practice but the only acceptable practice.
Tough penalties for non-compliance
The EU does not expect banks and financial services firms to comply with the Act without a little encouragement. Teams of supervisors and overseers will ensure compliance with DORA. They will have significant power.
Organisations that violate the Act's terms can be severely punished. Specific details of fines aren't including the main DORA text but Article 50 of the Act, entitled Administrative Penalties and Remedial Measures requires that member states give authorities almost unlimited power to examine documents and data, carry out on-site inspections, interview anyone related to a potential breach, apply criminal penalties, order an organisation to change its behaviour and operations, issue public notices, and impose fines harsh enough to ensure swift compliance. Regulators can order an audit or even demand that an organisation cease operation temporarily or permanently.
The same is true for individuals within a financial firm who breach the Act: financial penalties and possible criminal prosecution are on the table.
The sub-text is clear: if you want to offer banking and financial services in the EU, you must do it by the EU's book - or else.
A cloudy outlook
Storage and compute services offered by AWS, Microsoft Azure and other cloud service providers aren't exempt from DORA, at least not if they are Critical Third-Party Providers to banking and financial firms.
These providers will probably do their best to comply, not least because the EU is a huge market for them, but it seems doubtful that they'll be willing to share in any financial penalty imposed by the EU on one of their customers. Their lawyers aren't likely to allow SLA clauses along those lines, and even if they did, there would be a cost. DORA may therefore make cloud services more expensive for EU financial firms.
Even so, the burden will remain mostly on the banking and financial services firms themselves. Excuses such as "It wasn't our fault! Amazon/Microsoft did it!" may still be true but will no longer be any defence against hefty fines and possible legal repercussions.
The broader picture for DORA and a dash of economic theory
DORA should result in a more reliable and robust customer experience across the board, which is unquestionably a welcome outcome and one that's sorely needed. Like it or not, there are still far too many "unplanned maintenance" events (often a euphemism for an IT systems update gone wrong) in banking and financial services. Customers have no sense of humour when it comes to accessing their money, and nor should they. DORA is likely to raise the performance bar significantly.
But there will be casualties. More strict regulation means that some smaller players will fall by the wayside, unable to absorb the increased costs of compliance. Consolidation of both financial services firms and their ICT providers is therefore likely to increase. We may end up with fewer - but larger - firms handling most of the available business.
This inevitably means less competition, which is usually the outcome of state intervention in any market. That doesn't have to be a bad thing, and DORA is undoubtedly being implemented with the best of intentions. However, it's too soon to know whether the threat of state punishment for systems failure in financial services and banking is a more powerful motivator for outstanding service than the fierce competition that a less-regulated marketplace might encourage.
Economics scholars tend to be divided on this topic at a theoretical level, but the EU believes that it has the right, the duty and the power to force firms to offer the best possible service in the financial sector. Time will tell if that judgement is correct.
Germany’s take on the Digital Operational Resilience Act (DORA)
German banks and financial institutions take DORA seriously and have been preparing for the last year.
According to the BaFin website, BaFin and the Deutsche Bundesbank are also preparing for DORA - in particular, by adopting supervisory and administrative practices and implementing IT processes and systems within the framework of DORA. For example, the financial regulator BaFin in Germany is becoming the national reporting hub for ICT incidents in the financial sector. BaFin also accepts notifications as part of ICT third-party management, which institutions and companies are obliged to submit, and analyzes them with a view to potential risks for the financial sector.
Furthermore, BaFin recently launched a new landing page (in German) dedicated to DORA and the frequently asked questions about the regulation, including:
Which companies does DORA apply to?
DORA is a cross-financial European regulation that bundles and harmonizes regulations of existing sectoral European regulations and guidelines.
The following fall within the scope of the European regulation DORA (Article 2 paragraph 1 DORA):
a) CRR credit institutions, b) payment institutions, c) account information service provider, d) electronic money institutions, e) investment firms,
f) providers of crypto-assets authorized under the Regulation of the European Parliament and of the Council on markets in crypto-assets (MiCAR) and issuers of asset-referenced tokens,
g) central securities depository, h) central counterparties, i) trading venues, j) transaction repositories, k) alternative investment fund managers, l) Management companies, m) data provision services,
n) insurance and reinsurance companies, o) insurance intermediaries, reinsurance intermediaries and secondary insurance intermediaries, p) company pension schemes, q) rating agencies,
r) administrators of critical benchmarks, s) crowdfunding service providers, t) Securitization register, and u) ICT service providers.
How is an ICT-related incident defined in DORA?
An "ICT-related incident" is an event or series of related events, unplanned by the institution or company, that compromises the security of network and information systems and adversely affects the availability, authenticity, integrity, or confidentiality of data or on the services provided by the financial company (Art. 3 Paragraph 1 No. 8 DORA).
What are ICT services within the meaning of DORA?
"ICT services" are digital services and data services permanently provided to one or more internal or external users via ICT systems, including hardware as a service and hardware services. This description also includes technical support from the hardware provider through software or firmware updates, except for conventional analog telephone services (Article 3 Paragraph 1 No. 21 DORA).
Why has the European Union established DORA to monitor critical ICT third-party service providers?
There is currently a very heterogeneous picture within the EU about monitoring critical ICT third-party service providers. For example, while the Act to Strengthen Financial Market Integrity (FISG) introduced extensive powers for supervisory authorities over outsourcing companies in Germany, similar rights do not exist or do not exist to the same extent in other EU countries. Given the risks arising from the concentration of dependencies on critical third-party ICT service providers across borders, this is a potential systemic risk for the European financial market (see recital 30 to DORA). The EU's approach corresponds to its strategy of deepening the European internal market with uniform rules. It will also lead to less effort for financial companies operating across borders.
Will financial companies no longer have to monitor or audit critical ICT third-party service providers in the future if this takes over?
Financial companies must constantly monitor their use of third-party ICT service providers for their business. The supervisory authority's supervision of critical ICT third-party service providers, however, is carried out with an eye on the entire financial market. Therefore, the supervisory oversight of a critical third-party ICT service provider does not relieve financial companies of their regulatory obligations. On the contrary, financial companies remain fully responsible.
In addition to their own monitoring, financial companies will benefit from system-wide monitoring by the supervisory authority from 2025 - namely, by viewing an overview of the recommendations of critical ICT third-party service providers that have not been implemented or have not been fully implemented.
Further FAQs can be tracked via the DORA-specific landing page of BaFin, which is continuously updated with new practical questions and answers.
IT Supervision in the German Financial Sector
DORA was one of the highlights of the BaFinTech conference that took place in Berlin in May 2023. During the DORA sessions, experts highlighted the number of open DORA questions that need further discussion. Therefore, the digital BaFin conference "IT Supervision in the Financial Sector: What does DORA mean in practice?" that is planned to occur on December 5, 2023, will likely shed more light on the practical requirements. The event applications are closed; however, interested parties can follow the BaFin website to receive the post-event updates.
