Exceeding the Baseline
The Digital Operational Resilience Act (DORA) came into force last week in the European Union. Despite this, numerous financial institutions within the region are struggling to meet the new cybersecurity standards set forth by DORA.
A Shift in Perspective
DORA imposes strict obligations on financial firms to implement advanced IT risk management systems and enhance reporting protocols. Institutions must also undergo regular operational resilience testing and share information regarding risks, incidents, and potential threats.
The extent of DORA’s reach is expansive, leading many EU financial services organizations to overengineer their compliance measures to surpass the fundamental requirements expected of most firms.
“Much like with GDPR (General Data Protection Regulation) and other broad legislations that require interpretation—what constitutes robust compliance under DORA remains ambiguous,” said Harvey Jang, Chief Privacy Officer at Cisco. “This uncertainty has prompted many institutions to set their security standards above the baseline.”
In the Spotlight
One of the most significant impacts of DORA is its emphasis on third-party risk management. Financial organizations must now rigorously assess “concentration risk,” ensuring they do not overly rely on external partners for critical operations.
Although banks bear ultimate responsibility, technology providers can also face hefty fines up to 1% of their average worldwide revenue if they fail to comply with DORA’s requirements. This heightened scrutiny might force a total mindset shift in how EU banks interact with fintech companies, prompting them to reconsider their reliance on third parties.
Technological advances may enable financial institutions to bring services back in-house, thus simplifying compliance and reducing the risk of non-compliance,” Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, stated. “Irrespective, existing contracts must be updated to ensure compliance is enforceable.”
Managing Data
Regulators have long been wary of the role played by unregulated fintech companies within banking-as-a-service models. Concerns came to a head after the collapse of Synapse, which failed to maintain proper records for its customers, particularly Evolve Bank & Trust.
Following this incident, lawmakers intensified their scrutiny over both fintechs and traditional banks. The continued demand for regulation has raised questions about the viability of banking-as-a-service models.
A Core Issue
Open banking is another model that hinges on third-party financial companies, facilitating secure sharing of consumer data among organizations. Despite concerns regarding fintechs’ compliance, the U.S. recently implemented new rules to oversee open banking via Section 1033 of the Dodd-Frank Act.
This legislation mandates stronger data security and enhanced recordkeeping measures for financial institutions.
“Compliance is increasingly becoming a technological challenge,” remarked James Wester, Co-Head of Payments at Javelin Strategy & Research. “It’s crucial that technologists consider compliance from the outset when designing solutions dealing with consumer data.” He further noted that compliance teams often lack understanding of technical concerns associated with these regulations.
As organizations adapt to DORA and other evolving regulatory frameworks, they face growing pains but agree on the necessity for stronger oversight to prevent future incidents like Synapse’s collapse and protect against increasing fraud. Until a robust system is in place, compliance challenges will persist.
