Have you ever heard of DORA? No, no no, not Dora The Explorer, I mean DORA.

DORA, the Digital Operational Resilience Act, is a relatively undiscussed regulation by the business side of the finance industry and expected to be published later this year (2022), with an expected go-live in 2024. Its ambitions are clear: to bolster operational resilience within the financial industry to guarantee business continuity by forcing critical ICT third-party providers to conform to regulatory standards. All this will be supervised by one of the three European Supervisory Authorities (European Banking Authority ( EBA ), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority ( ESMA )).

To evaluate the impact of DORA on Fintech-bank collaboration, we invited:

• Alexandre Castaing, Chairman of the Board as ISACA Luxembourg, Managing Partner at Axon Advisory and former Head of Operational Risk at Royal Bank of Canada (RBC)
• Jessica Ramos, Head of Regulatory, Oversight and Financial Affairs at EBA CLEARING and Board Member of EWPN

Some background

After the subprime crisis, supervisors focused on making sure that in case of a problem, financial institutions had sufficient capital requirements to overcome those problems, explained Alexandre.

Alexandre: “Now the expectation is to look at resilience with an external lens: what damage can you cause on the financial market? That is what makes DORA relevant today.”

DORA provides a standard regulatory framework against which everyone will be benchmarked: financial institution as well as e-money institutions, investment firms, crypto asset service providers and critical third-party service providers, to name a few.

The new framework must ensure organisations understand the risks they are facing and have safeguards in place to mitigate potential cyberattacks and other IT risks. It also serves as a common language across Europe. There are already multiple standards, and DORA must bring a much desired harmonisation in digital operational risk management.

Jessica explained that the principles of DORA are not new. It is very similar to Cyber Resilience Oversight Expectations (CROE), created in 2018, which is part of the Systemically Important Payments Systems (SIPS) regulation, a European translation of the Principle for Financial Market Infrastructures (PFMI).

So concretely…

As an operational risk manager, Alexandre dealt with multiple regulations to manger their operational risk. Aligning all these local expectations and regulations regarding operational resilience took a lot of work and negotiations. Harmonising all that is a blessing for big global financial institutions.

Jessica explained that EBA CLEARING would be impacted less because they operate two systemically important payment systems, which all under the CROE scope. The company also works with third-party providers that maintain and develop their payment systems and are already subject to a special annexe F to the PFMI for service providers of FMIs.

That annexe covers technology planning, information security, risk management communication etc.… all elements that DORA also expects. So, most of the DORA requirements are already taken care of.

Yet, there is much work to be done, but that is mainly by smaller organisations in the finance industry. Thus far, they have organised their resilience under the radar, without much supervision. That will change now.

So will DORA make the lives easier of financial services providers in the broad sense?

#itdepends

Jessica: “I think introducing DORA will require significant investments by parties in order to achieve compliance, but will ultimately make compliance a lot cheaper in terms of continued compliance going forward. Organisations will only have to monitor one regulation and its evolution, rather than having their eyes and ears all over the place trying to capture bits of regulation that comes out of everywhere.”

“In terms of entities achieving that compliance, there will likely be a bit of peer pressure in the ecosystem, as there will be expectations that all parties comply with a certain level of requirements. DORA will, hopefully, become the one and only standard.”

Someone in the audience feared that DORA risks killing innovation. DORA can be a severe showstopper for new startups, an expensive compliance cost these companies cannot afford. Nevertheless, 67% of the audience believed that DORA would positively impact collaborations between banks and fintechs.

Alexandre agreed with both by saying that DORA will lead to higher standards in the industry. Some may not reach these new expectations, but is that a bad thing? Alexandre: “DORA should be about protecting customers. That is one of the roles of the regulator. They want to ensure that you don’t end up with a long-term outage like, for example, in the UK with TSB in 2018.”

Jessica agreed to this by saying: “We're talking about cybersecurity, business continuity, resilience; everybody knows the first thing they'll tell you in a cybersecurity conference is you're only as strong as your weakest link. And if you're going to be in an ecosystem, where you're playing for high stakes, we're talking about the financial industry, there has to be a minimum standard that has to apply equally and proportionally across the board."

Strategic opportunity?

Having said all this, there was one last question to be answered: is DORA a compliance exercise or a strategic opportunity? 85% of the audience believed that the industry would adopt it as a compliance exercise, of which 2/3 of that 85% understood the opportunity, saying: "It should be a strategic opportunity, but the market will see it as a compliance exercise".

Smart companies that excel in their effort to reduce operational risk, that go the extra mile in digital operational resilience, will face much easier negotiations with financial institutions and regulators, and could eventually charge higher fees because of that.

EBA CLEARING is a not-for-profit organisation that runs on cost recovery. They organise Governance Risk and Compliance Days for their users. Jessica: "We invite our participants to explain to them precisely how we comply with the different requirements, including a very comprehensive session on information security, cyber resilience, and business continuity."

"Compliance with these frameworks increases the cost of our systems for participants, but they're willing to cover that because they can rely on that compliance and the robustness it implies. And they can use it with their own customers to say, "Look, we have a very secure infrastructure, and your money will not go anywhere”. And they could leverage that as a marketing tool.”

Conclusion

So indeed, after this 1-hour discussion, I also believe Fintech companies should grasp this as a strategic opportunity to say: “We are here for you; we can help you in a secure and safe way.”

DORA can enhance collaboration between banks and Fintech companies, if they play the game well. As the time of negotiation with compliance departments goes down, often the biggest bottleneck, implementations can go much swifter, leading to healthier Fintech companies, both from an IT and a finance perspective.

Companies that are not fit to deal with DORA, should not have been in the industry from the first place in my opinion as that put their customers at stake when things go wrong.

As Jessica said: "A short term tough pill to swallow, but a long-term healthy evolution for the entire industry in my humble opinion."