March 29th, 2022 • Core Banking by Marketing Skaleet

DORA: The New Banking Resilience Challenge! 💪

Since the economic crisis of 2008, the banking industry has steadily transformed to digital, focusing on risk management, compliance, and customer-facing operations. Today, as the industry faces new crises and tactical challenges, banks must manage fundamental changes in their infrastructure. 

The pandemic has shown us the value of certain technologies that allow the economy to function remotely and overcome social distancing to an extent. These radical changes in the way people work and consume, for instance, the dramatic increase in online shopping, will have a lasting impact on economic relationships. The good news is that the eurozone’s banking system has demonstrated resilience in the face of the pandemic. According to a McKinsey study, banks came into the pandemic generally well-capitalized and are far more resilient than they were 12 years ago. 

While this seems reassuring for now, it may not be enough for the future. In recent years, widespread system outages and cyber threats, as well as the effects of the Covid-19 pandemic, have put operational resiliency at the top of financial regulators’ priority list. 

DORA: New Challenges for New Times 👨‍💻

On September 24, 2020, the European Commission published a draft of the Digital Operational Resilience Act (DORA). This legislative proposal is based on existing European regulations regarding the fact that risk management impacts information and communication technology (ICT). DORA is expected to come into effect in the first half of 2022. 

With DORA, the EU continues to build a framework for monitoring banks and critical third-party service providers’ information and communication technology (ICT) risks. While the rapid pace of digital innovation has benefited financial services customers, it has also introduced new operational and systemic risks associated with a highly connected provider landscape. As Joachim Wuermeling, a member of the Board of Directors of the Deutsche Bundesbank said, the main objective of DORA is to “bring consistent rules and oversight to the seemingly boundless sky beyond the clouds.” DORA can also serve as a regulatory model for other countries, helping to limit the risks associated with increasingly digital operations. 

However, operational resilience is not an option for banks, which can be seen in their spending. Some large banks invest hundreds of millions of euros each year in cyber security, with the amount more than doubling since 2015 in some cases. This trajectory will probably continue in the near future at annual growth rates of around 10%. A considerable portion will go into cloud security, reflecting bank business models’ shift to the cloud. The “back office” does not follow, and banks are faced with many problems, including the cost of services rendered and profitability. 

Indeed, financial institutions tend to outsource much of their IT, including management of their complex architecture. For example, the majority of large financial institutions that have highly customized IT and are supervised by the European Central Bank have indicated that they outsource many key services to third-party service providers: 

  • 5% of minor configurations 
  • 20% of financial services personalization 
  • 45% of regulatory and accounting services customization
  • 30% of IT architecture and its properties 

DORA’s focus on third-party risk management underscores the need for a more holistic approach beyond internal processes and systems. Although we are focusing on banks in this article, DORA will apply to all financial services players, not only credit and lending institutions, but also payment and e-money institutions, investment firms, insurance and reinsurance companies, as well as third-party service providers. 

The bill is currently in draft form, with formal adoption scheduled for late 2022 and implementation by 2024. It includes requirements in 5 main areas: 

  • ICT Risk Management: Operational risk broadly encompasses risk factors related to a bank’s employees, processes, and technology. Financial institutions must maintain digital operational resiliency to comply with DORA, f, with an expanded and more granular definition of risk that includes malfunctions, capacity overruns, failures, disruptions, impairments, misconduct, or losses. 
  • ICT Incident Reporting: Financial institutions are already required to collect data on major ICT incidents, report them to the authorities, and act on information provided by supervisors. Under DORA, such reporting extends to incidents involving critical third parties. We expect this change to significantly increase the volume of reportable issues.
  • Digital Operational Resilience Testing: Financial institutions, including third-party service providers, will conduct these tests, along with broader threat-focused penetration tests, to help assess whether their cyber security is adequate. This will require ongoing review, given the rapidly changing nature of threats.    
  • Third-Party ICT Risk Management: Critical third-party vendors will be held accountable for providing DORA-compliant services, which may require financial institutions to renegotiate contracts or switch vendors. Some suppliers will likely raise prices to recoup the financial implications of DORA.
  • Monitoring and Information Sharing: DORA encourages financial institutions to share cyber threat information across the financial services industry voluntarily.

Three Options for Complying with DORA 👇

Some banks may choose to do nothing until DORA goes into effect and then manage any changes through processes as usual. The common logic is to minimize current expenses and limit distractions. But the trade-offs include possibly higher operational risk, greater exposure to regulatory action, and a greater potential for complex issues needing to be resolved under the watchful eye of regulators, perhaps under strict timelines, all of which constitute a potential major opportunity loss. 

Other banks will implement tactical changes in areas of known weakness, such as third-party risk management. This approach could provide tangible improvements in operational resilience and, if started now, it will allow time to address these complex areas adequately. However, this would not completely address DORA, leaving some requirements to be addressed in short time frames with less ideal solutions. 

Bolder institutions will choose to take the opportunity to address deeper underlying issues that drive today’s risk, and cost and will seek to overhaul some or all of their risk and compliance programs to build a stronger, more effective organization. Certainly, a broader scope will increase complexity in the short term and expose internal barriers to change. Yet, this approach not only ensures that operational resiliency will be truly suitable, but it also offers cost benefits through more efficient and comprehensive solutions. 

Banks have already found themselves in similar situations with regulatory initiatives such as the General Data Protection Regulation (GDPR) and the Payment Services Directive (PSD2). While some financial institutions have treated these changes as a technical compliance exercise, innovative leaders have taken a more strategic view, allowing them to develop differentiated capabilities in data analytics and technology platform-based business models. With DORA, the latecomers of the past could fall into the same trap.

Resilience Through Innovation ☁️

The longer-term strategic benefits of digital transformation far outweigh the risks, provided banks use technology to manage risk and improve overall resiliency while reducing redundancies and paperwork. One of the ingredients will be establishing agile, lean processes that use automation. Rapid-automation trials have proved that automating end-to-end processes, which used to take 12 to 18 months, is doable in 6 months, and with half the investment typically required. Another involves collaboration between internal functions as well as external partners and technology providers. 

Banks must also maintain efforts to modernize and transform digitally in order to be able to meet future challenges. On that point, a survey conducted by IDC showed that institutions that had already invested in technologies such as the cloud, open API architectures, AI, security, and mobility were able to weather the COVID-19 storm better than their peers. They also recovered more quickly. 

The DORA regulation thus represents an opportunity for banks to reinvent themselves with a clear objective: to foster a strategic effort to improve resilience effectively

Cloud-based Core Banking Platform solutions help address these new banking resiliency challenges. With reduced costs, improved responsiveness, a customized user experience, and simplified integration with all third-party applications, there’s no shortage of arguments in favor of the core banking platform, which explains its success. 

In order to support the digital transformation of banking players, neo-banks, and fintech companies, Skaleet offers a “cloud-native,” agile, and scalable Core Banking Platform (CBP). In this new environment, a CBP provides financial institutions with the ability to respond and change according to ongoing resiliency and compliance issues. It’s not too late to maintain your advantage!

  • #innovation

  • #banks

  • #regulation

  • #resilience