Dora ‘critical tech vendor’ designation could cast a wide net

A European Union consultation setting out the criteria for identifying a critical third-party tech vendor under the Digital Operational Resilience Act (Dora) could catch cloud services, data vendors and software providers, according to operational risk experts and lawyers.

“Lots of companies might be ensnared by this, especially in the IT space. How far will it go?” says the head of risk at a European bank. “The list of maybes is long.”

Bradley Rice, partner at law firm Ashurst, says Dora seeks to address the contagion risk that has built up in financial services through ever-increasing digitalization. A large majority of the world’s financial services firms use the biggest cloud providers, for example. The failure of any major cloud provider such as Amazon Web Services or Microsoft could have catastrophic impacts on financial services.

Neither regulators nor market participants themselves can comfortably claim they have the full picture of the market’s reliance on any given set of providers

Nathaniel Lalone, Katten Muchin Rosenman

“The cloud providers are the main targets, and that is no secret,” says Rice. “But lots of other firms provide IT, data, trading, reporting and other services to financial market players. Exactly how broad the European regulators go is subject to further regulatory technical standards.”

The head of risk agrees that cloud-based systems are most likely to be considered systemic, especially compared with vendors that install systems locally on-site: “The second anything is cloud-based, then you’re that little bit more vulnerable to one nerve center.”

However, he speculates that the designation could also apply to data providers Bloomberg and Refinitiv, offshore IT service providers such as Infosys and Tata Consultancy Services (TCS) as well as software vendors like BlackRock’s Aladdin and Ion Group.

“If company X goes down, does it cause several other licensed firms to go down at the same time? Most banks are highly dependent on market data providers, in particular Bloomberg, and so they wouldn’t be able to risk-manage or value their books,” says the head of risk.

A spokesperson for Bloomberg says, “We are closely following the development of the detailed implementing rules under Dora, and we plan to fully assess what the final set of requirements may mean for us.”

A Dora systemic determination could result in direct supervision of such tech firms by financial regulators. Being designated critical means the European Supervisory Authorities (ESAs) would have the power to ask vendors for information, assess their security and resiliency, seek remedies for any deficiencies, and ultimately penalize them if they do not comply.

“The uncomfortable truth is that an evaluation of service providers along these lines has never been done before, meaning that neither regulators nor market participants themselves can comfortably claim they have the full picture of the market’s reliance on any given set of providers,” says Nathaniel Lalone, a partner at law firm Katten Muchin Rosenman. “Everyone is operating based on anecdotal evidence or surmise, so the proposed framework is an important step in plugging that gap in our knowledge.”

Still evolving

Lalone emphasizes that the framework set out by the ESAs is still “preliminary”, with more detail to come on how criticality will be determined. Kate Needham-Bennett, senior director of resilience innovation at risk software provider Fusion Risk Management, thinks the definition of a systemic third-party tech vendor is “still evolving”, and will likely include large cloud service providers as well as any information and communication technology third-party service providers (ICT TPPs) that have a large market share.

The ESAs are advocating using what Needham-Bennett calls a “two-pronged approach”, starting with quantifiable factors to narrow down the long list of potential ICT TPPs, followed by factors that scrutinize the potential impacts of disruption due to the interconnected nature of the financial sector.

Software vendors such as Aladdin may already face some regulation, but it is a relatively light regime in the UK, for example. Although BlackRock itself is regulated as an investment firm in the UK, its software is not regulated as a service company by the Financial Conduct Authority. Aladdin’s portfolio management system is used by funds holding more than $20 trillion in assets.

Fatal error

Withdrawal of services to banks by key tech firms can have catastrophic effects. Last year, Amsterdam Trade Bank, a subsidiary of Russia’s Alfa Bank in the Netherlands, collapsed when its cloud providers pulled the plug. The providers were deterred by sanctions against Alfa following Russia’s invasion of Ukraine. As a consequence, ATB staff were not able to access archives and provide regulators with information.

Andrea Enria, chair of the supervisory board of the European Central Bank, said in February 2023 of the ATB case: “The bank was not able to fulfill its function anymore. So, it is to say that if you outsource critical IT functions of your bank, the way in which you do it could be really important for the continuity of services.”

Best practices aren’t being implemented, and the speed of impact is so quick that outdated methods of crisis management and response are no longer adequate

Kate Needham-Bennett, Fusion Risk Management

Needham-Bennett says that regulators have driven improvements in risk management in the past, and can be expected to do so again using Dora.

“We’ve had enough financial crises to see that major financial services organizations can fold in a matter of days and customer impact can be felt immediately,” she says.

“Best practices aren’t being implemented, and the speed of impact is so quick that outdated methods of crisis management and response are no longer adequate.”

When Ion Group fell foul of a cyber attack that took key services offline in January, clients complained of a lack of transparency about what happened and an inability to hold the vendor to account. Needham-Bennett believes financial institutions must look at how they can enhance existing programs to build in Dora compliance, bringing together collaboration risk and resilience teams for cyber and third-party outsourcing.

However, the head of risk at the European bank says “the jury’s out” on whether clients will get a better quality of service from vendors as a result of Dora. Once designated critical, TPPs will have to pay fees to fund their oversight. He thinks it likely that TPPs will pass on the costs of the Dora regulation by increasing charges to customers for an “exercise in bureaucratic management”.

He also expects big US tech firms will push back against the proposed regulation, as they may need to establish an EU entity to comply with the new rules. This would be a “mega-project”, he observes.

While small firms will avoid regulation, and the largest firms are already set up to handle extra bureaucracy, he thinks some mid-sized firms may be caught, and may struggle to comply. “Plus ça change,” he concludes.

BlackRock, Ion Group and Refinitiv declined to comment for this article. Infosys and TCS did not respond to a request for comment. The joint ESAs’ consultation ends in June 2023.