DORA: FinTechs and incumbents need to prepare for the impact of new regulations
Over the past fifteen-years, the FinTech incursion into the financial services sphere, has been enabled by a relentless digital revolution.
Thus, a trend has emerged whereby smaller FinTech disruptors, and more recently a number of larger incumbents, have increased their reliance on digital services provided by a minority of large technology companies such as Amazon, Microsoft, and Google. This phenomenon has therefore fuelled concerns surrounding ‘concentration risk.’
For some time this has predominantly been through the exploitation of third-party information and communication technology (ICT) systems such as multi-party utility computing (known as ‘Cloud’), and more recently through nascent higher-order systems such as data warehousing and artificial intelligence. In the light of this dependence, the potential impact that a critical incident may impose upon the financial system is of increasing concern.
Until now, financial services entities have not benefitted from clear regulatory guidance in order to mitigate the potential consequences of concentration risk. This has led to inconsistent approaches towards managing operational resilience and cyber security risk.
To address this and other deficits which may contribute towards a major disruption to the financial services sector, the European Union (EU) has introduced the Digital Operational Resilience Act (DORA). DORA will come into effect on the 17th January 2025.
DORA will directly apply in all EU member states and cover a broad range of financial services entities including Account Information Service Providers (AISPs), Payment Initiation Service Providers (PISPs), Credit Institutions, Electronic Money Institutions (EMIs), crypto-asset service providers, insurance carriers, reinsurers, and their respective agents. Furthermore, in instances whereby parent companies of EU-regulated firms may wish to standardise and procure their digital services on a group-wide or global basis, DORA will apply even if parent organisations are based outside the EU.
DORA seeks to harmonise the rules which govern risk management and operational resilience in the financial services ICT sphere and in so doing, sets the baseline requirements for financial services entities inclusive of banks and insurers in addition to FinTechs as well as their third-party ICT service providers. ICT service providers are interpreted fairly broadly and notably exclude traditional analogue telephone services however, do include most modern digital and other technology services.
At the heart of DORA is a recognition of the interconnected nature of the financial ecosystem and the potential for systemic risks which may be induced by service disruptions and/or cyber threats.
The European Supervisory Authorities are expected to set out in greater detail and/or expand upon a number of DORA’s requirements. An example of which is defining critical third-party ICT service providers and setting out the ICT-related incident reporting thresholds as well as their respective testing requirements.
DORA is built upon five pillars which underpin operational resilience in digital services/ICT, namely:
ICT Risk Management - proactive and continuous monitoring of risks, business continuity planning, and incident management.
Incident Reporting - detection, classification, and reporting of ICT-related incidents. Includes the reporting of relevant cyber threats.
Digital Operational Resilience Testing - assess and identify shortfalls in resilience and the appropriate level of threat-led penetration testing if entities are considered to be of high risk.
ICT Third-party Risk Management - assess and ensure third-party digital/ICT service providers meet the same rigorous requirements and resilience standards expected as the financial service entities using the services.
Information and Intelligence Sharing - promotes collective resilience through sharing intelligence and cyber threats / “zero day” information amongst in scope firms.
The implications for FinTechs and other financial services entities as well as their ICT providers will attract a number of key considerations such as:
Governance and Accountability - financial entities are expected to establish clear lines of responsibility and oversight for digital operational resilience. Leadership will be accountable for ensuring compliance and fostering a robust resilience culture.
Investment in Resilience Capabilities - financial entities and their ICT providers may be required to invest in enhancing their risk management frameworks, incident response capabilities, testing methods, and their third-party management practices.
Collaboration and Information Sharing - collaboration and intelligence sharing among financial entities, ICT providers, and regulatory authorities will likely be required in order to promote transparency, facilitate knowledge transfer, and enable a coordinated response to cyber threats or incidents.
Third-Party Risk Management - financial entities will likely be required to perform due diligence and ongoing monitoring of their ICT providers in order to ensure compliance. This may lead to disruption towards existing vendor relationships and negotiation to implement contractual arrangements and service level agreements which reflect DORA’s requirements.
Regulatory Oversight and Enforcement - financial entities and ICT providers should expect increased scrutiny, audits, and potential penalties for non-compliance as DORA empowers regulatory authorities with enhanced oversight and enforcement capabilities.
Article 30 of DORA sets out a range of contractual requirements which need to be incorporated into either existing, or new ICT contracts entered into moving forward. Although these are similar to those set out in the EBA Outsourcing Guidelines, a gap analysis will be needed in order to ensure remediation and compliance with DORA is met. Furthermore, since section 4 of Article 30 alludes to standard contractual clauses, it’s likely that many existing contracts will need to be amended. This is comparable to what transpired when GDPR prompted addenda in numerous third-party contracts a few years ago.
Although DORA is an EU law, similar requirements are echoed in the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule which came into effect in July 2023.
Thus, equivalence may incrementally make its way into the US regulatory landscape and quite possibly provides insights into where the UK and others may be heading. Naturally, this may raise the barriers to entry as well as start-up costs associated with new FinTechs and require an overhaul within incumbents.
Proponents of decentralised finance (DeFi) will likely experience a decelerating effect as a consequence of these additional regulatory controls, which may potentially stifle innovation. Incumbents and established FinTechs will probably experience this as a ‘moat’ which culls the number of new competitors from entering the market. I wrote extensively about this phenomenon and its effects in my book, “Bad Money.”
