DORA Fights Hackers: How new legislation will impact the Fixed Income market
Last week’s Equilend ransomware attack highlights the timeliness of this incoming DORA legislation in Europe. Similar ransomware attacks last year with ICBC and ION highlight that banks cannot afford to be cut off from markets for hours, let alone days or weeks.
January 2024 saw the release of the first set of rules under DORA for Information and Communication Technology (ICT), third-party risk management and incident classification by European Supervisory Authorities. Four final draft Regulatory Technical Standards (RTS) were published, aimed at enhancing the digital operational resilience of the EU financial sector.
How DORA impacts the Fixed Income market
DORA will have significant implications for financial institutions in the Fixed Income market and reshape their selection process and relationship with third party service providers (vendors).
The newly published regulatory standards will compel financial institutions to set up and maintain a dedicated ICT third party risk strategy, implement comprehensive business continuity policies and a management process to monitor ICT related incidents - all of which will need to be periodically tested. Financial institutions will need to demonstrate robust controls and carry out due diligence and risk assessments of all third-party vendors they use.
All this will need to be shared with regulators to help identify and reduce the impact of threats to financial markets.
As with most new regulation, the most obvious impact for the market will be the cost of compliance to financial institutions and vendors as protection against future potential cyber-attacks and outages, which ultimately may be borne by end users.
What does this mean for vendors in the Fixed Income market?
Perhaps the most significant development, will be the classification of Critical third-party service providers. Those vendors which regulators deem to represent systemic risk in the EU, due to the number of financial institutions they serve and functions they perform, will fall under direct regulatory oversight of supervisory authorities. There will be significant costs to vendors associated with this to comply with new stringent rules, pay Regulator oversight fees and ensure some incorporation in the EU for vendors which are not already there. In short, a two-tier vendor marketplace will evolve, with those vendors that are deemed Critical being under greater scrutiny.
It is important that vendors take pre-emptive steps to get ahead DORA, due to pass into EU law in early 2025.
Vendors must ensure that Fixed Income technology fully complies with the latest information security standards (SOC2), as this is a prerequisite for financial institutions when assessing vendors. Enhanced operational resiliency tests and requirements are also a key feature in DORA. At TransFICC, for example, our venue API translation product and eTrading platform for IRS and Credit Bonds are resiliency tested daily and full DR fail over processes are in place on our own global network with 5 physical data centres across the EU and US.
These features significantly reduce ICT risk and ensure institutions can complete and comply with the new Regulatory Technical Standards published.
How will Financial Institutions adapt their vendor strategy?
There is increased emphasis in the RTS for substitutability of vendors and exit strategies for institutions reliant on one service provider, so we expect to see institutions adopting a more modular approach to their technology stack and using more than one vendor for the same functions, particularly where the function supported is critical. One of the objectives of DORA regulation is to avoid concentration risk on vendors and ensure financial institutions are not locked in to one provider.
The final RTS draft published – ITS on the register of information - will be used by financial institutions as part of their ICT and third-party risk management framework and will enable the effective supervision of the financial institution’s third-party risk management framework by regulators. It will be this data which will be a key source of information in designating which vendors are critical and therefore require DORA oversight by regulators. The identification of critical vendors will impact existing and future contractual relationships and agreements going forward.
Planning for DORA
With DORA due to pass into EU law in 2025 it is important that the Fixed Income market (financial institutions and vendors) start planning for this major change in market structure.
While most regulation adds more costs for banks, DORA can also be viewed as an opportunity to test innovative hosted technology which has a lower cost of ownership. Modular, hosted software can provide a secure alternative to legacy vendors, but reviewing all available Fixed Income products and services requires a detailed project plan, and most important, the time to make an informed decision.
The timetable for DORA compliance is tight, so both Financial Institutions and Vendors need to plan and take action now.
Share