Digital operational resilience for the financial sector and amending regulations
Published on April 28, 2022 by Anvitha R Jain and Jeevitha Jaganatha
Digital Innovation is transforming financial services. With innovation in financial technology like growth in Fintech, use of Blockchain, increase in the use of digital wallets and crypto-assets have emerged around the world, meanwhile, artificial intelligence, cloud service, and distributed ledger technology (DLT) are modifying markets in areas as diverse as financial markets. The COVID pandemic has accelerated the digit transformation. In specific the need for digital connectivity to replace physical Interaction between the customers and provider, the ideal approach has been applied to financial payments, retail banking, insurance, and wealth management in financial service. With an increase in digitization, cybersecurity threats have also gained more limelight in recent days.
In emerging and advanced economies, the percentage of regulators who reported an increase in Fintech usage or offerings as a result of COVID-19.
According to a World Bank and Cambridge Center for Alternative Finance poll done in 2020, there will be a significant move to digital financial services, particularly for payments. Regulators saw a 65 percent growth in digital payments, followed by a 24 percent increase in digital banking, a 22 percent increase in savings, and a 14 percent increase in loans.
Information and Communication Technologies
Globalization has led to a rise in advanced technology in many countries which makes electronic finance an important aspect for financial sectors. Information and Communication Technologies (ICT) refers to a wide range of Information services that address and manage electronic information. Several sectors have been able to maintain a competitive advantage in the global market thanks to innovative services provided by the information technology sector in recent years.
The growth in digital innovation and advanced technology like ICT has led to an increase in Cyber security threats and cybercrimes. In finance, cybercrime refers to profit-driven criminal conduct such as identity theft, ransomware assaults, email and internet fraud, and financial account manipulation.
Cybercrimes are increasing at a rapid rate. In line with research, the cost of cybercrime will Increase 15% once a year to exceed US$10.5 trillion by 2025. Currently, the bigger part of cybercrime is ransomware and multi-pronged attacks that capture an organization’s data and systems and concurrent extortion threatening to release the company’s data unless additional payments are made. One such case took place in late March 2021 with a leading Insurance Company based in the USA which paid $40 million to regain control of its network over a ransom cyberattack. (Source: Bloomberg, https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack )
Most common delivery methods and cybersecurity vulnerabilities causing ransomware infections according to MSPs (Management service providers) worldwide as of 2020
Statistic shows the primary reasons of ransomware infections according to MSPs worldwide in 2020. According to the report, phishing scams were the most common cause of ransomware infection for 54% of responding MSPs.
Cybersecurity is one of the highest risks faced by financial institutions so there are more stringent regulations associated with cybersecurity to scale back and mitigate risk. One such initiative is taken by the European Commission called Digital Regulations Resilience for the financial sector and amending regulations (DORA) which mainly focuses on:
(Pilot regime address issue related: it recognizes the potential need for regulatory change in light of new technologies, identify areas that may be insufficient innovation-friendly and seeks to create DLT market infrastructures to prove that existing EU rules are contradictory with DLT)
DORA strives to improve and update existing norms and regulations related to digital operational resilience, such as ICT governance, ICT risk management, incident reporting, and ICT third-party risk, which were previously limited.
Introduce new requirements where gaps exist, including a framework for important ICT third-party service providers to monitor digital hazards, information exchange, digital testing, and management of ICT third-party risk.
DORA is looking forward to supporting digital finance in terms of assuring competition, innovation, technology testing, and actions to better enable and enhance the promise of digital finance while limiting risk.
According to the proposal, all the financial entities regulated at the Europe level would be considered
- Financial entities: Include, but not limited to, credit and payment institutions, electronic money institutions, investment firms, crypto-asset service providers, alternative investment fund managers, management companies, insurance undertaking and intermediaries, credit rating agencies, audit firms, securities, trade and securitization repositories, crowdfunding service providers.
- ICT third-party service providers: Include, but are not limited to, cloud computing services, software, data analytics, and data centers.
The main obligation of the DORA proposal are as follows:
1. ICT Risk Management :
2. ICT-related incidents:
3. Digital operational resilience Testing:
Financial institutions should conduct digital operational testing on a regular basis to identify weaknesses, inadequacies, and gaps in their digital operational resilience, and ensure that corrective measures and tests are carried out by third parties ( both internal and external)
4. Information sharing arrangements (Article 40) 5. Managing ICT third-party risk
- On account of breach of any regulations or any misleading activity identified and reported then the lead overseer from the following authorities listed below are responsible to inspect online and off-line.
- The European Banking Authority (EBA)
- The European Securities and Markets Authority (ESMA)
- The European Insurance and Occupational Pensions Authority (EIOPA)
- The financial entities in order to conduct an investigation, collect all the required documents as per articles 32, 33, 34, and 35 which contain guidelines regarding the request of information, general investigation, and oversight and following up and also charging the fees for oversight respectively.
- In regards to penalties overseer has the right to impose administrative penalties and criminal penalties.
Although DORA is still in the works, it would be a much-welcomed update that reinforces the financial sector’s existing laws regarding digital operational resilience.
This in turn reduces the risk related to cyber security and risks arising from third-party management.
About the Authors
Anvitha R Jain has over 1 year of experience in corporate and forensic compliance, currently working in investment compliance at Acuity knowledge partners. She holds a Master’s degree in Business Administration, specialized in core finance from CMS Business School Jain University.
Jeevitha Jaganatha has over 1 year of experience in Corporate and Forensic Compliance at Acuity knowledge Partners. Currently working in Electronic Communication Surveillance. She holds a master’s degree in Business Administration, specializing in International Finance and Accounting from Jain University, Bengaluru