Financial Markets and Funds Partner Nathaniel Lalone spoke with The Fintech Times, Retail Banker International and Electronic Payments International about the impending deadline for implementing the Digital Operational Resilience Act (DORA), set for January 17. With severe penalties for non-compliance, financial firms are making last-minute efforts to ensure they meet DORA's requirements. The regulation, introduced in 2022, aims to protect financial services from information and communication technologies (ICTs)-related incidents by mandating comprehensive risk management and resilience measures.
Given the alignment needed between ICT third parties and financial organizations on critical changes needed, Nate stated, "As with most major regulatory implementation deadlines, we all seem to be fumbling towards the finish line. DORA introduces very specific and prescriptive requirements and has lots of moving pieces, but we have seen two key compliance challenges.
"First, in terms of updating contracts, there is a "battle of the forms" between financial entities, who want all their services providers to use their standard form of agreement, and service providers, who want all their financial entities to use their own standard form of agreement. The question is: who has the stronger negotiating power and who blinks first?
"Second, the compliance burden ratchets up for service providers supporting "critical or important" functions, and there's some push-and-pull between financial entities and their service providers over the proper criteria and process to use when making that decision. This leaves open the risk that some providers of a given service are designated by their financial entities as supporting 'critical or important' functions and subject to heightened obligations, whereas providers of a nearly identical service are not.
"That seems inequitable and it's not clear how to solve for those discrepancies with the rules as they currently stand."
Additionally, Nate noted, "Alongside these challenges, the ongoing DORA obligations remain with firms grappling to integrate compliance with existing requirements and internal systems, while managing resourcing constraints."
"DORA: 17 January compliance date is upon us – industry reaction," Electronic Payments International, January 16, 2024
"DORA: 17 January compliance date is upon us – industry reaction," Retail Banker International, January 14, 2025
"Less Than a Week Till DORA: Ensuring the Final Checks are Made," The Fintech Times, January 11, 2025
London
