What does DORA mean for UK entities?
The European Union (EU) is implementing the Digital Operational Resilience Act (DORA), which was announced as part of the new Digital Finance Strategy, to harmonise Information and Communications Technology (ICT) risk regulations across Europe.
The European Union is taking a firm stand to increase the financial sector’s resilience to ICT-related major incidents. With prescriptive requirements for both financial entities and vital ICT service providers, as well as an ambitious compliance deadline (scheduled for the end of 2022), businesses must begin planning immediately.
DORA also fits into a global trend in financial sector regulation that began with the Bank of England’s (FCA and PRA) consultation papers on operational resilience and impact tolerances and has since been followed by principle-based operational resilience papers from the Bank of International Settlements (BIS) and the Federal Reserve.
What will this mean for Financial Services in the UK?
To impose new regulatory standards for technology providers in the financial services sector, the UK government has hinted that it will legislate for a UK-equivalent of the EU’s planned new Digital Operational Resilience Act (DORA) this coming legislative year.
The government’s plans for new laws to enable resilient outsourcing to technology providers in the financial services sector — an issue expressly addressed in the EU DORA proposals – were mentioned in a paper released to accompany the Queen’s Speech earlier last week.
The possibility of a UK DORA has surfaced at a time when operational resilience in financial services has been a significant concern for UK regulators, and the EU DORA is nearing completion. The EU’s two law-making organisations – the European Parliament and the Council of Ministers – struck a provisional agreement on the EU DORA earlier this week.
What does operational resilience mean in the UK?
When contracting with service providers, the UK financial authorities (PRA and FCA) expect firms to be robust to operational disruption. The FCA Handbook and the PRA Supervisory Statement on ‘Outsourcing and third-party risk management’ lay out the rules that firms must follow, including data protection, business continuity, and exit strategy. Importantly, these requirements do not apply to third-party service providers who work with these firms (the “Third Parties”)[1].
The proposal recommends implementing main legislation to empower UK regulators to directly oversee services provided by important Third Parties, ensuring the resilience of financial services and reducing the risk of systemic disruption. In addition, the proposed rule attempts to be flexible and appropriate.
Next steps for UK Financial Services
UK regulators are expected to release a joint discussion paper on “important third parties” in UK financial services later this year, and they are working with the Treasury “on potential measures to control the risks” that those vital third parties pose. It is a logical extension of this that the government will seek to legislate in this area, maybe even bringing critical third parties, such as technology providers, under direct financial services regulation on operational resilience.
HM Treasury expects to begin identifying the first important Third Parties under this new framework once the banking authorities have finalised their own rules.
Firms should continue to comply with the existing operational resilience criteria that apply to them in the meanwhile, while also taking an active interest in these new suggestions and start preparing for the new rules regarding third party suppliers to be put in place.
Works cited:
[1] JD Supra. (n.d.). UK Treasury proposes a law to regulate ‘critical’ third party service providers in finance sector. [online] Available at: https://www.jdsupra.com/legalnews/uk-treasury-proposes-a-law-to-regulate-6586086/ [Accessed 20 Jun. 2022].
