Europe, Middle East, Africa
Countdown to DORA: Non-traditional finance firms face biggest challenge
• 0 minute read
December 6, 2024
The European Union’s Digital Operational Resilience Act (DORA) finally kicks in, to all intents and purposes on January 17, 2025. Not much time remains for financial firms to ensure they are ready to comply with the regulation — and for those who have yet to begin renegotiating supplier contracts and reviewing governance arrangements, it may be too late.
Regulatory experts expect traditional financial firms to be in better shape as DORA arrives. PJ Di Giammarino, founder of regtech consultancy JWG, said many non-traditional and decentralised finance (DeFi) firms may not appreciate that the regulation applies to them.
“The communication has been primarily to the banks and the large, critical third parties that the regulators expect to be overseeing. However, wherever a company touches ‘TradFi’ or Markets in Crypto-Assets Regulation (MiCA) rails, it will need to ensure it meets detailed safety standards for critical or important functions,” Di Giammarino said.
The EU’s three financial supervisors (ESAs) will decide who will be designated a critical third party, after financial firms list their choice on a central register. Firm’s lists must be submitted to national competent authorities (NCAs) by January 17, who must then submit their own lists to the ESAs by April 30.
DORA will be overseen at EU level by a new directorate
Marc Andries was appointed to lead the directorate in October
Andries joins from the French central bank, Banque de France, where he was head of IT inspection
The directorate will have a team of 30 to oversea critical third-party providers and competent experts at national regulators
“The register of information helps us to have all the third parties to whom services have been outsourced, and it helps us to identify the critical third parties where the greatest concentration risk occurs,” Laura van Geest, chair of Dutch financial regulator Authority for the Financial Markets (AFM), told an industry audience at the Association of Financial Markets in Europe (AFME) Operations, Post-Trade, Technology & Innovation conference in October.
Van Geest stressed that DORA applies to non-EU firms if they provide services to EU-based firms.
“I’ve been told that many UK firms, especially smaller third-party IT suppliers, may think they’re not subject to the new requirements for cyber risk management and operational resilience, but that assumption is obviously wrong,” she said.
Service providers
DORA’s reach is such that it is not only the firms deemed critical third parties by the ESAs who will need to comply, but also any business that provides a service that is critical to another business’s ability to operate.
Elsa Madrolle, general manager for EMEA at VerifyVASP, said her firm had opted for a proactive approach to DORA.
The firm — which provides travel rule solutions to virtual asset service providers (VASPs), referred to as crypto asset services providers (CASPs) in EU legislation — has been preparing for DORA for some time.
“We started looking at how, as an information and communications technology (ICT) service provider to a new DORA obliged entity, the regulation might affect us. Under DORA, ICT service providers can be deemed critical to operations or critical by designation of one of the ESAs,” she said.
“We are definitely critical to operations of CASPs, which comes with a certain set of obligations. Drawing a parallel to traditional finance, however, global payments system Swift is deemed to be a critical service provider by central banks that oversee it. So we figured if Swift is deemed critical for banks, then in time, the largest travel rule service providers could theoretically further come into scope of some kind of oversight.”
Madrolle thinks at some stage, regulators will focus more closely on operational risk by financial institution type rather than their initial blanket approach.
“If they do eventually narrow it down to the CASP level, a licensed CASP is going to be very dependent on its travel rule service provider to facilitate compliant transfers. The transfer of funds regulation actually states that if the travel rule exercise cannot be completed, a transfer should not go through, so we came to the conclusion that we are quite critical from an operational resilience standpoint, at least to the operations and possibly even to the existence of these CASPs,” she said.
MiCA, DORA overlap
Non-traditional finance firms, especially those seeking authorisation under MiCA, can’t ignore DORA as compliance with the act is baked into MiCA.
“MiCA goes live at the end of the year, and DORA a few weeks later. You will need to comply with both if you want to be a regulated crypto company in Europe,” said Nathan Catania, a partner at XReg Consulting.
Catania said it will mean a huge jump in the level of regulation for crypto firms as they will have to establish and evidence governance committees, systems and controls.
“Where we find the crypto firms lacking is mainly on the documentation and governance. This means having policies in place, establishing committees, implementing different levels of review, and the ability to report incidents to regulators. The banking world has been doing this for years and years and does it quite well,” he said.
Implementing these governance and compliance systems is a multi-month process, he added.
Contracts
Article 30(2)(a) of DORA mandates model clauses that must be inserted into ICT supplier contracts.
Madrolle has been making sure the VerifyVASP contracts are DORA-compliant, using a process that entailed reviewing every client/supplier contract to ensure the clauses were put in place.
Catania expects established crypto firms to be quite good on DORA’s more technical requirements, such as cyber resilience. “They’re probably quite strong — and arguably stronger than many banks that are relying on legacy systems and aren’t as tech-savvy as the crypto firms that are under constant cyber attack,” he said.
Penalties
The DORA regulation contains penalties for firms and sanctions for individuals should things go wrong. JWG’s Di Giammarino said supervisors are emphasising personal accountability and reputational damage in their discussions with financial firms.
“What the national central banks in particular have been very crafty about is working the conduct regime to go to the senior management say, ‘show me your plan, show me who’s accountable for all this processing in the hands of vendors’, and when they can’t pass the smiles test, they say, ‘OK, well, we’ll whack another 100 million on your reg cap requirement until you can sort this out, then.” The market will quickly discover why,” he said.
Penalties available under the DORA regime include public censure of firms and individuals found to be at fault when a breach occurs and banning a firm from providing services into or within the EU.
The regulation also allows member states to impose criminal penalties for DORA non-compliance.
Despite the risk of penalties, Di Giammarino said it was important for firms to keep in mind the act also provides firms with a chance to rethink how they manage their digital supply chain around common standards.
“This isn’t just about compliance, it’s an opportunity to build trust in an ever-complex digital world. JWG is pioneering artificial intelligence-powered regtech and working with the key industry associations to foster standards-based collaboration that rethinks how we manage our digital supply chain,” he said.