The Digital Operational Resilience Act (DORA) went into effect last week in the European Union, and many of the region’s financial institutions are not yet compliant with the new cybersecurity laws.
DORA is a set of tough regulations designed to strengthen the technology operations of financial institutions. These laws also extend to their partners. The legislation aims to prevent data breaches, cyberattacks, and system disruptions that could lead to widespread financial impacts.
Compliance with DORA is mandatory, and violations come with substantial penalties. Financial firms may face fines of up to 2% of their annual global revenue. Furthermore, individuals can also be held accountable under DORA, with penalties of up to $1 million for non-compliance.
Surpassing the Baseline
DORA mandates that financial firms install sophisticated IT risk and incident management systems. It also requires more substantial reporting and documentation, periodic operational resilience testing, and the sharing of intelligence about risks, incidents, and bad actors.
The scope of the regulations is far-reaching, which is why many of the EU’s financial services organizations are struggling to understand what is required of them.
“We saw this too with GDPR (General Protection Data Regulation) and other broad legislation that is subject to interpretation—what does it actually mean to comply?” Harvey Jang, Chief Privacy Officer and Deputy General Counsel at Cisco, told CNBC in an interview. “This lack of a common understanding of what qualifies as robust compliance with DORA has in turn led many institutions to ramp up security standards to the level that they’re actually surpassing the “baseline” of what’s expected of most firms.”
A Mindset Shift
One of the most impactful aspects of DORA is it forces financial institutions to shine a spotlight on their third-party relationships. Organizations will be required to conduct assessments of “concentration risk” to ensure they aren’t outsourcing too many functions to third parties or relying too heavily on partners for critical operational tasks.
While banks may ultimately be responsible for compliance, the new rules will also put pressure on financial technology organizations. Under DORA, technology providers can be fined as much as 1% of their average daily worldwide revenue for up to six months for non-compliance.
The increased scrutiny on third-party relationships could prompt a total mindset shift in how EU’s banks engage with their fintech partners. Many banks have relied on these partners to help them accomplish digital transformations on a faster and wider scale. However, due to the vulnerabilities this model creates, financial institutions may need to scale back their outsourcing strategies.
“Advances in technology may allow financial institutions to move services back in-house, simplifying this aspect and reducing the risk of non-compliance,” Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, told CNBC in an interview. “Either way, existing contracts will need to be updated to ensure compliance is contractually mandated and monitored between entity and provider.”
Under the Microscope
Regulators have long been concerned about the increasing role of fintech companies in the new banking-as-a-service model. Many technology companies have built their financial solutions with speed and innovation in mind, while compliance was often an afterthought. That mindset doesn’t align with the heavily regulated and highly scrutinized financial services industry.
In the U.S., concerns about the relationship between unregulated fintechs and banks reached a head after the highly publicized collapse of fintech Synapse. Synapse failed to keep proper records of funds for its customers, particularly Evolve Bank & Trust. When Synapse went bankrupt, roughly $85 million in funds were frozen—with no records of who it belonged to.
In the aftermath of the Synapse collapse, lawmakers have increasingly put fintechs and financial institutions under the microscope. The continued demand for regulation has even called the banking-as-a-service model into question.
Controlling Data
Another model that hinges on the capabilities of third-party financial companies is the open banking model, which has long been considered the future of the financial industry. In open banking, third parties serve as facilitators, enabling the secure sharing of protected consumer financial data among organizations.
Though there are concerns about the impact of fintechs, the U.S. recently rolled out its rules designed to regulate open banking. The Consumer Financial Protection Bureau (CFPB) announced it would activate Section 1033 of the Dodd-Frank Act, which is designed to give consumers the freedom to control their own data and switch between financial institutions with ease.
The new laws also require financial institutions to implement stronger data security protocols and beef up their recordkeeping processes.
An Original Concern
There will certainly be growing pains as organizations seek to comply with the various regimes that are being established worldwide. However, there is largely agreement among all players in the industry that a stronger regulatory framework is necessary to prevent events like the Synapse collapse, and to protect organizations from the increasing number of fraud attacks they face. Until that system is in place, challenges will persist.
“The big takeaway is that compliance is becoming more of a technology concern,” said James Wester, Co-Head of Payments at Javelin Strategy & Research, in an earlier conversation with PaymentsJournal. “That’s a two-fold issue. For the technologists that are tasked with making the open banking environment work, compliance now needs to be one of the original concerns when building out anything that’s going to be dealing with consumer data.”
“The other part of it is that compliance teams often still don’t understand a lot of the technical considerations and concerns,” he said.
