The Digital Operational Resilience Act (DORA)
The European Union’s Digital Operational Resilience Act (DORA) is a ground-breaking, first-of-its-kind legislation. The DORA includes similar methodology to operational resilience requirements for financial institutions. This Act will require documented risk management and governance procedures, resiliency (scenario) testing, intelligence sharing, supply chain management, incident reporting, and audit and retrospective analysis. The DORA builds upon existing third-party outsourcing requirements and is an attempt to streamline and harmonize them. It is part of the broader EU Digital Finance Package. A provisional agreement was reached in May 2022, is expected to pass in H2 2022, and be in force in 2023.
The DORA will apply to almost all regulated financial entities, includes in-scope technology and data service providers (TSPs), and expands regulatory oversight of “critical” TSPs. Critical TSPs will be required to register an entity in the EU which is likely to help with enforcement. The current methodology to establish criticality includes:
- The number and systemic character of financial entities that rely on the TSP
- The TSPs’ degree of substitutability
- The scale, complexity, and importance of TSP-related dependencies
- The criticality or importance of the services that the TSP provides subject to the contractual arrangements
- A risk assessment of any potential impact on the continuity and quality of financial services that are consumer facing
The existing European Supervisory Authority will have jurisdiction over both the regulated financial entity and the critical TSP to:
- Conduct on-site and off-site inspections
- Issue recommendations
- Request information directly from critical third parties on their resilience
- Impose fines of up to 1% of revenue in case of non-compliance
- Request financial entities to terminate their business relationship with the TSP
EU Member States will also have the right to impose criminal penalties for breach of the obligations.
Bank of England (BoE), FCA, and PRA
The Bank of England (BoE) is the central bank in the UK and is considered independent of the government. The Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) are its quasi-government regulators that were born out of the financial crisis in 2008. The PRA is responsible for supervising around 1,500 banks and insurance companies. The FCA is responsible for the conduct, retail, and wholesale of financial services firms (around 58,000 businesses which employ 2.2 million people).
A key priority for the BoE and its regulators is to ensure the operational resilience of its firms in order to secure the financial markets. In response to that priority, the three entities published a discussion paper outlining the concepts of operational resilience which were designed to protect against operational disruptions.
The requirements and expectations for firms are to:
- Identify their important business services by considering how disruption to the business services that they provide can have impacts beyond their own commercial interests
- Set a tolerance for disruption for each important business service
- Ensure that firms can continue to deliver their important business services and are able to remain within their impact tolerances during severe – or in the case of financial market infrastructures (FMIs), extreme – but plausible scenarios.
The Central Bank of Ireland
The Central Bank of Ireland published a consultation paper called the Cross Industry Guidance on Operational Resilience. The guidance builds off of existing guidance from the Basel Committee and the BoE. The Cross Industry Guidance on Operational Resilience paper is built around three pillars of operational resilience:
- Identify and prepare
- Respond and adapt
- Recover and learn
Central to these pillars are the concepts of governance, a service-led approach, setting impact tolerances, mapping dependencies, ICT and cyber resilience, scenario testing, business continuity management, incident management, plans and response, and a path for on-going feedback.
These three pillars support the principles of managing operational resilience and related risks and provide a feedback loop that continuously allows for banks to learn from experience as well as foster a culture of continuous improvement. The Bank of Ireland provides additional prescriptive guidance in the form of a 15-point list that outlines what the regulator considers to be successful elements of an operational resilience program.
The requirement is currently in effect, and enforcement is expected in 2023.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a landmark privacy law in the European Union that governs the protection of data collected on European Citizens. The GDPR is extra-judicial, meaning that its reach and enforcement extends outside the boundaries of the European Union and applies to any organization that collects, stores, processes, or transfers personal data on individuals in Europe.
The rights afforded to European Citizens under the GDPR include the right to information, the right of access, the right to rectification, the right to be forgotten, the right to restrict processing, the right of portability, the right to object, and the right to avoid automated decision-making.
GDPR requires a risk assessment process, and certain security controls overlap with other frameworks. Additionally, it is important to monitor vendors for compliance with GDPR’s data security and processing obligations if your organization is outsourcing the processing of data to third parties. From the lens of operational resilience, you should understand how your organization processes and stores data of European Citizens when working through important business service mapping. Additionally, the data and application inventory required under the GDPR may be a useful place to start your service mapping.
EBA Guidelines on Third-Party Outsourcing
The European Banking Authority (EBA) is the European Union’s (EU) central banking regulator. In 2019, the EBA published revisions to the Guidelines on Outsourcing Arrangements (the “EBA Guidelines”). The EBA Guidelines require management and tracking of third-party service provider risks. Consistent with other outsourcing requirements set forth in the Payment Services Directive, the Markets in Financial Instruments Directive (MiFID II), and other relevant digital finance regulations, the EBA Guidelines set forth a risk management framework that includes a risk management policy, internal controls, and on-going monitoring of third parties that underpin financial services.
The EBA Guidelines require a contractual agreement between the third party and the financial institution that outlines the policy, expectations, and documentation for the reporting, audit, and remediation of risks.
Because of the audit and remediation requirements, it is critical that third parties that contract with European financial institutions have the necessary control frameworks in place to support the obligations that they are signing onto.
The UK HM Treasury Proposal
The UK has formulated a Policy Proposal that is similar to the Digital Operational Resilience Act in the EU. There is currently no draft legislation to support it, and it is open for comment. The proposal would allow the UK regulators – specifically the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) – the ability to directly oversee services provided by critical third parties to ensure the resilience of financial services and reduce the risk of systemic disruption. The policy proposes to do this by enacting a primary legislation.
The HM Treasury is expected to designate TSPs as critical by secondary legislation in consultation with the PRA/FCA by using data and information from their regulated firms, third parties, representations made regarding why they consider themselves critical or not, and firms who will make representations as well.
The proposed scope of the regulators’ powers would allow them to:
- Request information directly from critical third parties on their resilience and compliance with the legislation
- Commission an independent “skilled person” to report on certain aspects of a critical third party’s services
- Appoint an investigator to investigate potential breaches
- Interview a representative of a critical third party and require the production of documents
- Enter a critical third party’s premises under warrant as part of an investigation
Financial regulators will have the power to direct third parties to take or refrain from certain actions, publicly share information, and prohibit them from providing services. Since the proposed rule expands the regulatory reach to third parties that have previously not been subject to regulatory requirements, it could be beneficial for these organizations to start understanding and planning for the requirements now.