The digitalisation of financial services is nothing new. Wallets are stored on phones, insurance premiums are calculated by algorithms, shares are traded in microseconds, and our data is increasingly stored in clouds. This is only going in one direction. We must embrace the efficiencies digitalisation brings and continue to innovate to make our markets even more competitive.
As a result of this trend, the financial and digital sectors are increasingly integrated, with financial services relying more and more on the ICT sector. This gives rise to operational resilience and concentration risks and, in turn, increased financial stability risks.
These evolving risks have been considered at length by supervisory authorities on the global level from several perspectives: the cybersecurity risks, the operational risks, the outsourcing risks, and the concentration risks posed by the fact that there are too few digital actors serving a majority of the financial sector.
On the basis of these global-level discussions, and in the context of the European Commission’s commitment to making the EU fit for the digital age and a global digital player, the Commission brought forward its Digital Finance Package in September 2020. The package includes a proposal for a regulation on digital operational resilience for the financial sector – known as the Digital Operation Resilience Act or Dora.
While other countries, including the US and Singapore, have taken limited measures to address the integration of the digital and financial sectors, the EU’s proposal is, arguably, the most ambitious and far-reaching.
The regulation is comprised of two chapters. The first seeks to harmonise the patchwork of requirements across the financial sector and establish a holistic framework for digital operational resilience to ensure that the sector is better placed to withstand ICT problems. The second examines more closely the risks posed to the financial sector by the reliance on the biggest tech companies.
Chapter 1 obliges companies to have in place an ICT risk management framework that identifies ICT risks, implements protection and prevention measures, detects threats, responds to and recovers from ICT incidents, reflects on and learns from these incidents, and improves communication to supervisors and among the industry.
Effectively, we need to establish a cycle of good practice within the financial sector. ICT risks and cyber threats are continuously evolving and best practices must develop in parallel.
The question that arises most often when discussing this issue is one of proportionality. Have the Commission’s proposals gone too far?
To my mind, the framework must be proportionate, necessary and effective – not just regulation for regulation’s sake. The default approach to proportionately in the financial sector is based on the size of the firm. That approach is not so relevant, however, in the digital age. Nowadays there are sophisticated fintech firms with few personnel and, likewise, private institutions with large assets but little reliance on ICT services.
For the purposes of Dora, the proportionality must be risk-based. Exposure to or reliance upon an ICT service needs to be met with the appropriate level of risk management. The financial sector is highly interconnected and is only as strong as its weakest link.
Equally as important is the need to ensure that the framework is future-proofed. It must be flexible enough to allow new players to enter the market and existing players to innovate.
Chapter 2 of the regulation, considered to be the more controversial section, focuses on the oversight framework for “critical” third-party ICT providers (ICT TPPs). While the framework in Chapter 1 should make the financial services more robust and resilient towards digital operational risk, the Commission has recognised that elements of the digital sector provide services so essential to financial entities, or to such a large part of the financial services sector, that there is a “critical” reliance upon them.
ICT TPPs deemed critical will be subject to oversight by the European supervisory authorities. On the face of it, financial supervisors being responsible for overseeing the practices of digital actors seems illogical, especially as Big Tech has some of the most advanced systems and some of the brightest minds to ensure their security is not compromised.
A strong distinction needs to be made here between supervision of the financial sector and mere oversight of the ICT sector. It is important for the purposes of accountability and just regulation that financial supervisory authorities do not have far-reaching competences beyond authorised entities, which ICT TPPs are not.
Since the publication of the proposal, there has been much discussion among the industry and politicians alike about the provisions preventing EU financial entities from contracting the services of critical ICT TPPs based in third countries. Some consider this as a way to build the EU’s digital capacity and strategic autonomy; others perceive it as amounting to protectionism.
As a liberal, I simply do not believe that Europe’s digital capacities will thrive by restricting access of third-country companies. We need strong and healthy competition in our markets.
As global economies become increasingly digitalised, however, geopolitics will play an ever more important role. It is inevitable that sanctions and trade disputes will eventually impact digital services.
Moreover, we cannot be ignorant to that fact we live in an age of cyber warfare. In this context, it is justified that the EU should have safeguards in place that will allow appropriate oversight of the most critical TPPs whose services are interwoven throughout our financial sector. The Dora framework will have to resolve these competing objectives.
As the European Parliament’s draftsman for the its position on Dora, it will be my responsibility to strike the sensitive balances between prescription and proportionality, regulatory clarity and future-proofing, an open and attractive EU and effective risk oversight.
For those outside the bubble of EU regulation and compliance, financial services and ICT, the term Dora is more likely to invoke images of a cartoon of a young Hispanic girl, rather than a risk management framework. But can the EU’s Dora live up to the ambitious and pioneering reputation of its namesake?
Billy Kelleher is a Fianna Fáil MEP for Ireland South and a full member of the Econ and Fisc Committees of the European Parliament