.svg)
Panellists at Money 20/20 have questioned whether financial firms are ready enough to comply with the EU’s new ICT rules, calling on firms to ensure that they are ready before it is too late.
The EU’s Digital Operational Resillience Act (DORA) has the aim of mitigating systemic operational risk in a financial services market that is increasingly digitally connected.
DORA is important because in 18 months (January 17, 2025) almost every type of financial institution across the EU will be required to ensure that high security controls are in place from suppliers.
But some in the payments and banking world think that not enough attention is being paid to the new regulation from firms.
“People still think of Dora the explorer,” quipped one Money 20/20 attendee to VIXIO.
However, like other EU regulation such as the General Data Protection Regulation and the anti-money laundering directives, it comes with fines for non-compliance.
For example, failing to comply with DORA as an ICT service provider can result in a fine of 1 percent of the average daily turnover for every day for a maximum of six months.
“All in all, depending on the complexity and size of your organsiation, I would say that 18 months is barely enough time to get from where we are today to having the organisation completely compliant,” commented Abdellah Ben Hammou, product director at Klarna.
Ben Hammou, speaking on the panel "Dora: The Biggest Change In Payments No-One Is Talking About", continued that he was on the “domesday side”, considering the immediacy of 18 months.
“There is the rest of 2023 and 2024, and I would recommend that everybody starts on the work if they haven’t already done so.”
The regulation, which was first proposed as part of the EU’s Digital Finance strategy in 2020, entered the EU’s Official Journal at the end of 2022.
Its requirements vary. For example, financial firms will need to establish comprehensive business continuity policies.
Disaster and recovery plans will also need to be in place.
Further, firms will need to submit initial, intermediate and final reports on ICT-related incidents to their users and clients.
“We need the analysis, we need to understand where the gaps are, what will be impacted, and how this will impact your organisation on a daily basis,” claimed Ben Hammou.
“Routines need to be changed, people have to be trained, and awareness has to be out there.”
Incident reporting requirements, for example, will be harmonised through the regulation.
“Incident reporting will need to change,” he said.
“That means a lot of our first line need to be trained into that. This can be from an engineering team all the way to the head of a department.
“All these people will be required to be trained in the new world, so to say.”
Meanwhile, EBAClearing’s Jessica Ramos recommended that regulated financial institutions do their self-assessments against the requirements, which should reveal where gaps in compliance are.
“It is going to be a lot of different things that you need,” the regulatory affairs chief said. “You’ll need a governance framework, you’ll need governance arrangements, you’ll need procedures, frameworks to report incidents, [and] resilience testing frameworks.”
These types of compliance requirements will need to be caught into policy documents and governance, she said.
“It is going to take time.”
Meanwhile, firms will also need to report to their regulator a list of all ICT providers, meaning that all these providers need to be notified.
“And, you’ll need to have very specific contract clauses. That means renegotiation, and that means time,” she said. “So the sooner you get into conversations with all your ICT providers, the better.”
Ramos additionally recommended that ICT providers start looking into all the firms that will be in scope of the new rules.
Ramos also warned that oversight is not a lighter form of supervsion for ICT firms to deal with. “You will need to act soon.”
“An oversight framework is very broad and comprehensive and can take up a lot of time and effort,” she warned. “They can come and do onsite inspections and, not to scare anybody, but there are administrative fines.”
Is DORA a good thing?
Despite the compliance burden, and the consequences for non-compliance, both Ben Ammou and Ramos said that they welcome the incoming regulation.
“DORA has a very broad scope and, from a regulatory perspective, I welcome it quite a lot. It tries to harmonise different regulations and legal bodies that were applicable to the financial industry,” said Ramos.
Ramos continued that it is helpful as entities will now know the one piece of legislation to follow, and which requirements to focus on.
“This will be lighter for institutions.”
Meanwhile, Ben Ammou suggested that DORA is “something to celebrate”.
“I think we really needed such a regulation,” he said. “I think, if anything, it will accelerate the adoption of ICT third-party providers, and will accelerate the adoption of cloud services.”
These requirements have always been on financial institutions, but not across the whole financial system, he said, pointing out that the onus was on the financial institution to go out there and do due diligence and procurement.
“This opens the conversation more freely to talk about procurement of third party services and work with cloud providers,” he said. “Now there is this new regulation that already takes care of a lot of the harmonisation and expectations when it comes to IT risk management and security.”
At present, these consume a lot of resources from institutions, he said.
“If there is anything that will happen from this, apart from all the work to prepare for it, then I am very bullish on the fact that it will accelerate the adoption of these services.”
