Could a DORA equivalent be next for UK digital finance reform?
Update 9 June 2022
Today, 9 June 2022, the UK Government published a policy paper confirming that the Financial Services and Markets Bill, will create a new regulatory regime allowing the Government to designate certain ‘critical’ third party suppliers to the financial sector. Financial regulators will then be able make rules around the provision of these third parties’ services such as minimum resilience standards :
We will continue to monitor progress as key dates and next steps are announced.
Last month, both EU and UK policymakers took significant steps to make the financial services sector more resilient. With the progression of the EU’s flagship financial resilience legislation DORA, and the announcement of a key new Bill in the UK Government’s Queen’s Speech, regulators are on a mission to mitigate risks associated with third-party suppliers in the sector, with potentially big impacts for firms and their supply chains.
What is DORA, the EU regulation?
The European Council and European Parliament have reached a provisional agreement on the Digital Operational Resilience Act (DORA). It’s aimed at financial entities regulated at EU level, which includes everything from credit and payment institutions to credit rating agencies and crowdfunding service providers.
The draft regulation is part of the Commission's wider Digital Finance Strategy which aims to support growth in digital finance and manage risk, and covers a range of IT-related requirements. This encompasses risk management, incident reporting, third-party risk and information sharing.
In reaching the provisional agreement, the European Parliament stressed the importance of making sure that risk management requirements do not hamper innovation. Other key points include ensuring that entities only enter a contract with ICT service providers that have appropriate, up-to-date security standards and requiring that one in three tests of an organisation’s cybersecurity preparedness should be done by an external provider.
The provisional agreement needs to be approved by the Council and the European Parliament, then undergo a formal adoption procedure. 24 months after their approval, the rules will then come into effect.
What’s next for UK regulation?
The UK Government has announced that a new Financial Services and Markets Bill will be introduced to Parliament shortly, paving the way for a UK-specific regulatory framework for financial services. This would bring about big changes for the financial sector and significantly improve resilience.
Critically, according to the Government’s briefing, the new legislation will help to support resilient outsourcing to technology providers, as well as the safe adoption of cryptocurrencies.
This new legislation would also tie into other recent developments in the regulatory landscape of the financial sector. Currently, UK financial regulators are preparing a joint discussion paper outlining additional measures to enhance the oversight of the systemic risks posed by critical third-party service providers. This paper is likely to include a focus on cloud providers, similar to DORA.
What impact will new regulations have on businesses?
In the EU, the DORA regulations impose significant demands on organisations when it comes to third-party technology risk. These include provisions on accessibility, availability, integrity, security, as well as guarantees for access, recovery and return, in case of failure of third-party service providers for organisations. They also outline a need for ‘Exit strategies’ to be determined and tested. It is likely that the new UK regulations will have similar focus and significance.
Getting to grips with the ever-complicated landscape of outsourcing risks remains a top priority for financial legislators globally. Therefore, by providing what is essentially a technical insurance policy, software escrow solutions have a core role to play in de-risking the use of third-party suppliers and providing reassurance to firms that embrace new technologies.
Financial organisations still have space for innovation; however, these new regulations aim to ensure that innovation comes with operational resilience.