On September 24, 2020, the European Commission published its long-awaited proposals on digital operational resilience, comprising a draft regulation (DORA) alongside a proposed directive. The package is designed to harmonize and enhance Information and Communication Technologies (ICT) risk management requirements throughout the financial sector to ensure that all participants of the European financial system can withstand disruptions and threats relating to ICT. The proposals, which are part of the broader Digital Finance Strategy package, aim to harmonize EU rules addressing ICT risk and bring major ICT service providers directly within scope of regulatory oversight.
In this article, we provide a brief overview of the key proposals and assess the impact on payment services providers, in particular. We have published a separate blog post on Regulation Tomorrow on DORA and the proposed directive, which provides a general overview of the regime, but in summary DORA applies to a range of firms including payment services providers, electronic money institutions and crypto-asset service providers and covers a number of issues including:
- ICT risk management: Firms are required to maintain a sound, comprehensive and well-documented ICT risk management framework, including a dedicated and comprehensive business continuity policy, disaster recovery plans, back-up policies and a communications policy.
- Incident reporting: Firms are required to establish and implement a specific ICT-related incident management process.
- Digital operational resilience testing: Firms are required to periodically test their ICT risk management frameworks in a way that is proportionate to a firm’s size, business and risk profile.
- Managing third-party risk and regulating critical ICT service providers: Firms are required to take steps to ensure the sound management of third-party ICT risk.
- Information sharing: Firms are able to exchange amongst themselves information and intelligence about cyber threats, including indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.
Specific impact on payment services firms
ICT and security risk management has been a focus for payment service providers for the last few years and consequently, DORA and the accompanying directive may represent less of a step-change for these categories of firms than for other providers. Nevertheless, it is worth noting that the draft directive published alongside DORA proposes a number of amendments to the Payment Services Directive (PSD2) including:
- Amending the authorization rules (particularly those relating to ICT security controls and mitigation measures) for payment service providers to better align with DORA.
- Aligning the framework for reporting report specific ICT-related incidents and major non-ICT related incidents that would otherwise apply to payment service providers with DORA. From a practical perspective, this will broaden the range of incidents that payment service providers need to report beyond those that relate to payment-related issues. Under DORA, firms will be required to:
- Establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents and put in place early warning indicators as alerts.
- Classify ICT-related incidents and determine their impact based on criteria, including the number of users or financial counterparts affected by the disruption caused by the ICT-related incident, and the duration, severity and geographical spread of the incident.
- Report major ICT-related incidents to the relevant competent authority within the prescribed time limits – broadly payment service providers should be prepared to notify the competent authority in their home Member State in case of a major operational or security incident that is not an ICT-related incident, without undue delay.
- Ensuring that payment service providers establish an ICT risk mitigation framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks relating to the payment services they provide. As part of that framework, payment service providers should establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents, and address risks to information communication technology in accordance with DORA. The framework also needs to be supported by a digital resilience strategy that sets out how the framework is implemented. Further secondary legislation is expected to be developed on elements to be included in the ICT security policies, procedures, protocols and tools specified in DORA.
A firm’s senior management will have responsibility for defining, approving, overseeing and being continuously accountable for the implementation of all arrangements related to the firm’s ICT risk management framework. A designated individual must also be responsible for overseeing arrangements with ICT third-party service providers.
This is an area that it would be advisable for payment services providers to monitor carefully, in particular the finalized legislation and the regulatory technical standards once these are published.
It is worth adding, there may be additional local regulatory and operational resilience requirements which firms are or will be required to comply with in due course. Despite being based on similar principles and objectives, we anticipate that mapping out the interaction between DORA, PSD2 and any local regulatory and operational resilience requirements will be challenging for many firms. We have published our Global Operational Resilience and COVID-19 survey report which is available here, and is intended to help firms evaluate and learn from issues arising from the pandemic and apply them going forward in order to enhance their operational resilience.