The draft new EU regulation on digital operational resilience for the financial sector, colloquially known as the Digital Operational Resilience Act (DORA), promises to – together with a draft directive – deliver reform to operational risk and risk management requirements in EU financial services.
Though, as a consequence of Brexit, UK policy makers and regulators will not be bound by the EU reforms, financial entities operating in the UK, and their service providers, can expect that the finalised DORA may influence the ICT risk requirements they will face under UK law and regulation.
Background to DORA and European guidelines
DORA includes detailed requirements for managing ICT third party risk, including provisions relating to data and systems security, business continuity, data and service locations, access and audit rights, sub-contracting and termination and exit. It also sets out a range of ICT risk requirements for financial entities to put in place internally, including in relation to policies, testing regimes and managing incidents.
DORA is intended to replace the collection of requirements set out across various elements of EU legislation, including the Market in Financial Services Directive (MiFID II), Solvency II, the delegated regulations made under those frameworks, and the Payment Services Directive 2 (PSD2), to name just a few. It will apply to a range of financial entities, including banks, insurers and asset managers, among other financial services providers.
Many of the current requirements set out in EU law are not directly applicable in member states. This means that, in the UK, these requirements have been implemented through legislation and the rules and guidance of the UK regulators. This UK-specific framework, however, exists in parallel with guidelines provided by the European supervisory authorities (ESAs). Financial institutions have an obligation to make “every effort to comply” with ESA guidelines unless the Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA) say otherwise.
The ESAs are the European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA) and the European Securities and Markets Authority (ESMA). Each has powers to issue guidelines and recommendations with the objective of establishing a “common, uniform and consistent application of Union law”.
ESA guidelines are intended to help national regulators and regulated entities apply EU law. Many financial entities therefore focus much of their attention on meeting the ESA guidelines in order to establish governance and risk processes and controls and contractual arrangements that are effective in complying with the overall requirements of both the EU and UK regulatory framework.
What impact does Brexit have on ESA guidelines?
While negotiations continue between the EU and the UK, the complete picture of how laws will work after the end of the Brexit implementation period (IP) occurs on IP Completion Day (IPCD) – currently assumed to be 31 December 2020 – remains uncertain. However, the Brexit laws that have already been passed in the UK confirm that much of EU law will continue to apply to the UK after IPCD, in the short term at least, and has designated as “retained law”.
While retained law includes the collection of requirements spread out across the EU regulations and directives which relate to outsourcing and third party contracts, such as those included in the MiFID II, Solvency II and PSD2 frameworks, it does not include ESA guidelines. This has been confirmed by The Bank of England, and the UK Treasury has further stated that it intends to delete the obligation on businesses to make every effort to comply with them. However, the Bank of England and PRA expect firms and financial market infrastructures – that is, the financial entities it regulates – to continue to make every effort to comply with EU guidelines and recommendations “to the extent that they remain relevant when the UK leaves the EU”.
The FCA has taken a similar approach, describing ESA guidelines as “non-legislative material”. It has also, however, shed some more light on how ESA guidelines “may remain relevant when the UK leaves the EU.”
The FCA has made three significant points relating to: retained EU laws; changes made to pre-IPCD guidelines that occur post-IPCD; and guidelines that come into force after IPCD.
First, it has clarified that as ESA guidelines have as a key objective the consistent application of EU laws, to the extent that these guidelines interpret retained (EU) laws, they will remain relevant to the UK after IPCD. “[T]he EU non-legislative material will remain relevant post-IPCD to the FCA and market participants in their compliance with regulatory requirements, including provisions in our Handbook”, the FCA has said. Generally, therefore financial entities regulated by the FCA must continue to make every effort to comply with these existing ESA guidelines unless and until the FCA says otherwise.
Second, care is needed if changes are made after IPCD to guidelines that came into force before IPCD. The FCA has said: “Post-IPCD the FCA may determine that firms, financial institutions or market participants are no longer expected to ‘make every effort to comply’ with a particular pre-IPCD guideline, for example, due to changes made to the relevant legislation. In those circumstances, we may issue guidance accordingly.” When amendments to existing ESA guidelines, or the laws they interpret, take place post-IPCD, financial entities can expect the FCA to clarify the extent to which they remain relevant to the UK.
Third, the FCA has given its view on the relevance of guidelines that come into force after IPCD. It has said that “if relevant, the FCA may consider materials produced by the ESAs post-IPCD, including where pre-IPCD material is updated”, adding that where it considers it appropriate to do so, it “will set out our expectations as to how it should be treated”. The FCA has already begun to do this – for example, in July it announced that EIOPA’s cloud outsourcing guidelines, which will likely come into force after IPCD, will not apply to “regulated activities within the UK’s jurisdiction”.
What will happen when DORA comes into force?
It is expected that the ESAs will revise or repeal their existing guidelines which relate to outsourcing or third party contracts when DORA comes into force. DORA requires the European Commission to adopt delegated regulations under it and the ESAs to prepare a series of regulatory technical standards. These instruments, together with the new regulation which underpins DORA, are intended to set out a comprehensive framework for managing ICT risk for most financial service providers.
In the UK, ESA guidelines such as the EBA guidelines on outsourcing which are currently in force will therefore continue to be relevant as guidelines which interpret the application of any retained EU laws that remain ‘frozen in time’ and a part of UK law, unless the UK regulators clarify that they are no longer relevant. It would be an odd situation, however, if the UK continues to follow EU laws and ESA guidance that has been substantially replaced by the new regime which DORA sets out. It is therefore expected that at least the FCA, and potentially the PRA, will make clear the extent to which each relevant set of ESA guidelines remains relevant once DORA is in force.
We expect that the UK will monitor the outcome of the EU legislative process for DORA very closely. Both the FCA and the PRA engage internationally with their counterparts in other jurisdictions, including in the EU, and see the benefits of greater international alignment of the rule sets which govern outsourcing and third party risk. While DORA will not be directly applicable in the UK, there is good reason for UK financial entities to be aware of the extent to which the EU political negotiations shape the future of outsourcing and ICT third party risk regulation.
What does all this mean for UK financial entities?
There is no reason why UK financial entities should not continue to revise their outsourcing and third party contracts to comply with the EBA guidelines on outsourcing and other existing ESA guidelines which interpret retained EU laws. However, they should be aware that, at any stage after IPCD, the FCA or the PRA may announce that those guidelines are no longer relevant. However, we would be surprised if any alternative approach taken by the FCA or PRA altered fundamentally the principles on which the current ESA guidelines are based – the rationale for controls over sub-outsourcing, data security, audit rights and robust business continuity arrangements are matters which the FCA and PRA are focused on, and would feature in any replacement guidelines.
However, the FCA and PRA may move away from the current guidelines if the EU, through DORA, departs significantly from the positions which the EBA, EIOPA and ESMA have taken in their existing and draft outsourcing and cloud guidelines. We do not expect the EU’s position to change drastically, but, this is just the beginning of a long political process, so it is one that we must all watch closely.