Financial Services Industry Is on Verge of Major Regulatory Transformation with Digital Operational Resilience Act (DORA)

Law firm Mishcon de Reya LLP recently shared key insights impacting the Fintech and broader financial services sector.

Based in London, Mishcon de Reya services an international community of clients and “provides advice in situations where the constraints of geography often do not apply.”

The work they undertake is cross-border, multi-jurisdictional and complex.

The financial services industry is on the verge of a major regulatory change with the launch of the Digital Operational Resilience Act (DORA) that was unveiled in January of last year.

DORA is now expected to go into effect in (as well as be enforced from) January 2025.

This European Union legislation should affect financial institutions across the European continent. It may also impact Fintech suppliers that work cooperatively with them.

The main objective of DORA is to strengthen the digital security and operational resilience of the financial services ecosystem, a development that requires active involvement from those affected by it.

DORA reportedly has a relatively wide scope, which should include banking institutions, payment services providers, insurance firms, as well as FinTech suppliers to these services, known as “third-party ICT providers”.

This is an extensive definition which is set to put into scope any third party offering digital and data services offered through ICT systems which includes software services, and hardware as a service and hardware services.

But it does not include more traditional analogue telephone services. These service providers include those providing cloud computing, software, data analytics, as well as data centre services.

The act aims to emphasize the role of suppliers active in critical or important functions, increasing the obligations which financial institutions currently have to make sure that these third parties adhere to the current regulatory guidelines, including the EBA Guidelines.

FinTech suppliers need to keep in mind Articles 28, 29, as well as 30 of DORA, which provide updated guidelines as well as further expanding on current requirements for financial institutions which are expected to impact Fintech suppliers.

For example, Article 28 requires strict risk management protocols and specifies certain termination rights for financial institutions. These rights are initiated by major breaches, performance-altering situations, shortcomings in risk management, or supervisory difficulties resulting from the supplier relationship.

Suppliers may have to work closely with financial institutions to ensure that the financial institutions can adhere to these guidelines which could require that they alter the ways that they collaborate with their financial institution clients and provide relevant protections to them that they need to know about at this time.

One of the most significant updates introduced by DORA is that FinTech suppliers must know about the various contractual obligations that the financial institutions have to expect from FinTech suppliers.

These requirements are somewhat similar in some ways, however, they are not exactly the same, as those specified under legislation such as the EBA Guidelines, and in the United Kingdom the Financial Conduct Authority’s (FCA) outsourcing guidelines included in the FCA Handbook (SYSC8).

A few of the main contractual obligations that will have to be included in contracts between financial institutions and their ICT suppliers under DORA are mentioned here.

For suppliers that are taking part in vital functions (which basically means that the failure of a FinTech supplier may have a considerable impact on a financial institutions overall performance), the stakes tend to be greater, and the contractual obligations are more rigorous.

These suppliers may also have to take into consideration:

  • contingency planning;
  • participation in penetration testing; and
  • stricter performance monitoring rights.
  • exit strategies and transition periods;
  • notification procedures;

As financial institutions start to update their standard contracts to become consistent with DORA’s guidelines, FinTech suppliers must also actively amend their contracts and relevant service offerings.

This is not merely about ensuring adequate compliance. In fact, it is also about ensuring competitiveness and appeal in a fast-changing regulatory ecosystem and if done properly may assist FinTech suppliers in their sales cycles and engagement experience with financial institutions from the start and RFP stages.

But the main goal for all of the mentioned obligations, is accurately understanding what the financial institutions require in their inclusion and not merely accepting them as a supplier since they’re informed that they are required to do so, as per current regulatory guidelines.



Sponsored Links by DQ Promote

 

 

Send this to a friend