The financial services sector is on the cusp of a significant regulatory shift with the introduction of the Digital Operational Resilience Act (DORA) which took place in January 2023, but is set to take effect in, and to be enforced from, January 2025. This new EU legislation will not only impact financial institutions across Europe but also the FinTech suppliers that service them. The essence of DORA is to bolster the digital security and operational resilience of the financial sector, a move that necessitates proactive preparation from those impacted by it.
Who will be impacted?
DORA casts a wide net, encompassing banks, payment services, insurance companies, and notably, the FinTech suppliers to these entities, referred to as "third-party ICT providers". This is a wide encompassing definition which brings into scope any third party providing digital and data services provided through ICT systems which includes software services, and hardware as a service and hardware services, it does however exclude traditional analogue telephone services. These providers include those offering cloud computing, software, data analytics, and data centre services. The act places a spotlight on suppliers involved in critical or important functions, expanding the obligations which financial institutions already have to ensure such third party's are compliant with within the existing regulatory framework, such as the EBA Guidelines.
Key considerations
FinTech suppliers should pay close attention to Articles 28, 29, and 30 of DORA, which introduce new requirements and expand on existing ones for financial institutions which will affect FinTech suppliers. Article 28, for instance, mandates stringent risk management protocols and outlines specific termination rights for financial institutions. These rights are triggered by significant breaches, performance-altering circumstances, weaknesses in risk management, or supervisory challenges posed by the supplier relationship.
Suppliers will be required to collaborate with financial institutions to ensure that the financial institutions are able to comply with these requirements which may require that they change the ways that they work with their financial institution customers and offer additional protections to them that they should be aware of now.
Contractual obligations
Perhaps the most important changes brought about by DORA that FinTech suppliers need to be aware of are the suite of contractual obligations that the financial institutions are required to impose on FinTech suppliers. These obligations are similar, but not exactly the same, as those that are required under legislation such as the EBA Guidelines, and in the UK the FCA's outsourcing rules contained in the FCA Handbook (SYSC8). Some of the key contractual obligations that will need to be included in contracts between financial institutions and their ICT suppliers under DORA include:
- detailed service descriptions;
- data processing locations;
- enhanced data protection safeguards;
- data access and recovery provisions;
- performance monitoring;
- involvement in security and resilience training;
- service Level Agreements (SLAs);
- assistance with incidents;
- cooperation; and
- termination rights.
For suppliers involved in critical or important functions (which in short means that the failure of a FinTech supplier could have a material impact on a financial institutions financial performance, obligations to the wider financial markets, or placing any authorisation or licensing conditions at risk), the stakes are higher, and the contractual obligations are more stringent. In addition to the obligations listed above, these suppliers will have to consider:
- exit strategies and transition periods;
- notification procedures;
- contingency planning;
- participation in penetration testing; and
- stricter performance monitoring rights.
As financial institutions begin to revise their standard contracts to align with DORA's requirements, FinTech suppliers should also proactively update their contracts and service offerings. This preparation is not just about compliance; it's about maintaining competitiveness and attractiveness in an evolving regulatory landscape and if done well can help FinTech suppliers in their sales cycles and engagement journey with financial institutions from the outset and RFP stages. However, the key with all of these obligations, is understanding exactly what the financial institutions need in their inclusion and not simply accepting them as a supplier because they are told that they are required under regulation.
Interested in our "FinTech Suppliers' DORA Checklist " to assist with FinTech suppliers that will be affected by DORA? If so, please get in touch with our team for tailored support to prepare your documentation or update your agreements with your financial institution customers.