A whole plethora of data and regulation is being enacted or due to be put into place in the UK and Europe to shore up overall digital resilience, and rightly so.
What, however, will drive the success of DORA and others – rigorous compliance deadlines or ruthless competition dynamics?
Bills, schemes, initiatives, both nationally and internationally are being ushered in as the payments industry and the world at large adapts and responds to digitalisation.
Of course, this presents huge challenges to the industry in compliance efforts and also in scoping out their data strategy around it, which might have been dreamed up differently than new diktats demand.
Arguably the most impactful is DORA, the Digital Operational Resilience Act, perhaps as it speaks to the huge proliferation of digital services and diversification of service providers in our industry, as well as the internationally connected nature thereof.
This is an EU regulation that is due to come into effect in January 2025, having been introduced in January 2023.
Alongside step-changes in technologies that underpin payments and financial services comes new vulnerabilities in equal measure regarding the security of such systems, and the more partners are relied upon to make up the bulk of services, the greater the surface area of the collective network, the greater the vulnerability.
This is both in terms of the resilience of the system to errors, downtime, and the ever-present threat of malicious attacks.
In its own words, the act harmonises various rules relating to 20 different types of financial entities to shore up defences in the event of severe operational disruption.
It covers rules on ICT risk management, providing principles and requirements on ICT management frameworks, ICT third-party risk management, encompassing third-party risk providers and key contractual provisions.
Digital operational resilience testing, both basic and advanced, will come into play and a reporting obligation and framework to report major ICT-related incidents to competent authorities.
Alignment For The Greater Good
Furthermore, information sharing will be a requisite and need to follow a standard, as regards intelligence on cyber threats and, crucially, an oversight framework for critical ICT third-party providers.
At an individual country level, and particularly so in the UK, DORA will sit alongside a number of other, related, regulatory requirements.
As Tiernan Connolly, Managing Director, Cyber and Data Resilience, Kroll, says, “While DORA is focused on the financial industry- including payments- and NIS2 (Network and Information Security Directive 2) applies to a large number of other sectors in the EU, we can expect the UK government’s upcoming Cyber Security and Resilience Bill to address similar controls and requirements for a broad spectrum of sectors; however, its rollout will lag behind as the bill will not be introduced to the UK parliament until 2025.”
He notes the greater supervisory power UK regulators will have to ensure firms are implementing appropriate cybersecurity measures, including notifying the regulators as and when major incidents occur.
Country Level Additions
“The UK Data Protection and Digital Information Bill differs from [NIS2 and DORA] as it focuses on data protection regulatory uplifts as well as other data-focused initiatives such as digital verification services and smart data schemes, which would enable customer data to be shared securely with authorised third-party providers upon the customer’s request,” Connolly suggests.
These initiatives are intended to support and drive digital innovation and open banking, in a similar vein to the EU, rather than stifle or inhibit it.”
Among the many challenges such changes and implementations present to payments and beyond include the establishment of a robust IT third-party and supply chain risk management framework to provide ongoing governance and assurance that vendors are operating securely and protecting [company] and client data, Connolly says.
Potential for significant penalties and fines for non-compliance, along with the resulting reputational and business impact is another.
“Additionally, as seen with NIS2, for example, personal liability for management may apply if gross negligence is proven, such as in the aftermath of a major cyber incident,” he says.
Perhaps most significant are the challenging timelines for incident reporting.
“DORA requires an initial report to be sent to the regulator within four hours of determining the incident as major, while for NIS2 it is 24 hours. The UK Cyber Security and Resilience (CSR) Bill will also include similar mandatory requirements.
This means that incidents will not only need to be responded to and contained in a timely manner but also swiftly classified in parallel in terms of their criticality and impact to determine if they are reportable.”
Payments, of course, is intrinsically linked to much of the fabric of financial services to which these rules will apply, and specifically, as Connolly notes, “the DISD Bill will also have ramifications for the payments industry, which will need to adapt and adopt to the new regime”.
This includes designing and implementing technologies and processes to ensure compliance with its provisions.
The UK’s Digital Information and Smart Data (DISD) Bill has largely replaced the Data Protection and Digital Information Bill in a more focused effort to understand, control and prosper through data use and systems, with a keen emphasis on supporting AI development, safeguards and privacy frameworks.
A concept of a National Data Library has also been floated as part of this and backed by businesses and MPs in a bid to support start-ups and scientists in their AI model development and to attract talent and investment to the country.
UK law firm Harbottle & Lewis, specialising in technology and media explains this bill would govern comprehensive aspects from the physical installation to permissions and access across public and private sectors, boosting service and enterprise and as a result, exports and the economy, digital identity, and – simultaneously frighteningly and reassuringly – data controls and rights around children’s online activity, particularly in the event of suicide.
The Online Safety Act rights, which the DISD Bill would complement, currently only applies to the rights of living people and coroner investigations into child deaths have been hampered by this fact when seeking copies of personal data from social media companies.
All this, amid Schrems III and its privacy framework, to mention yet another data-related act and in the wider context of PSD2 and ISO 20022 as well.
The payments industry has its work cut out.
Depending on who you ask, different deadlines will be given different priorities and this will be led by the core nature of the given business.
Ultimately, though, in the business of moving money payments providers, individually and collectively are going to be penalised for cracks in resilience and not just by the authorities that be.
We have seen in the last year incidences of system outages of increasing detrimental impact.
Commercial Repercussions
Without wanting to shine negative light on any in particular, for it does require a collective effort to stabilise and shore up the system, the global outage of Square in September 2023 resulted in a major class action threat against Block.
Its payment services went down for four days across its eight markets as a result of a Domain Name Server (DNS) issue after “several standard updates” to its internal network software.
Grant Halverson, CEO of payments consultancy McLean Roche said at the time, only too rightly, that lawyers would be “salivating” over the chance to incorporate merchant losses into a class action.
Based on Square’s Q1 and Q2 earnings and gross merchant value, four days of lost sales would have amounted to $2.4bn for Square’s merchant customers.
Merchants did file a successful class action against Tyro Eftpos in Australia in 2021, winning A$5m ($3.2m) for up to a month’s worth of lost non-cash sales.
And of course there was the rather ironic cybersecurity company, CrowdStrike, outage in July 2024 due to system updates.
The pressure and burden of priorities is real.
When a threat is posed to impact individual pockets, self-preserving market dynamics are likely to prevail and outrun regulatory mandates.
Whatever about collective resilience, there will be collective unanimity on that front, that’s for sure.
Where Are We At?
A McKinsey report in June 2024 highlighted some key budget allocations and technical challenges associated with DORA on the part of Financial Institutions and their providers.
It said, as of April 2024, most organisations they’d spoken to had completed a gap analysis and were in the process of rolling out implementation programmes.
Yet uncertainty abounded around precise requirements of the legislation on the scope of key details and the timeline.
“The breadth of the DORA program, given the broad range of topics, is unavoidable. However, the chosen depth of scoping significantly impacts the size of the effort required to achieve compliance,” said one chief information security officer.
Such uncertainty has led to an increase in budget allocations at many firms.
Granted, many firms that McKinsey deals with are on the larger side of the spectrum, but the figures outlined indicate some of the work ahead, with €5 to €15m typically pegged for strategy, planning, design and orchestration related to DORA.
Some estimates are being tipped at five to ten times that range.
“One large FI reported that its final planned DORA implementation spend across the group amounted to nearly $100m, split between programme orchestration and technology control upgrades.
“According to our conversations with other FIs, we expect similar multiples across the financial industry- particularly at large companies or those that struggle to adopt a risk-based approach to scoping,” McKinsey stated in its report, Europe’s new resilience regime: The race to get ready for DORA.
Somewhat obviously, one stand-out challenge for the respondents was ICT third-party risk management, requiring, as the report states, significant efforts on two fronts: “ensuring comprehensive oversight of all ICT service providers and their associated risk and proactively managing the digital risk associated with critical ICT third-party service providers.”
Contract remediation is in tow, with between 20 and 3,000 remediations in flow, depending on the company – a staggering discrepancy.
Organisations are having to work hard and work closely with legal counsel to define what constitutes a “critical” ICT third-party service provider under Article 31 of DORA, and indeed to what extent each partner needs to be in scope.
Another challenge is the gulf between larger and smaller firms that work together in resources to comply, leading to the likelihood of protracted deadlines and implementation.
While only a third of respondents having expressed confidence in meeting of all DORA requirements by Jan 2025, it is clear from the detail that worthwhile efforts are in train, with requisite levels of granularity.
Perhaps the greatest work here is in the redefinition of risk assessments and appetites and a new direction for competitive standards.
The post Regulation: Collective responsibility or competitive ruthlessness? appeared first on Payments Cards & Mobile.
