It is imperative for financial services firms to enhance their operational resilience in reaction to the European Union’s Digital Operational Resilience Act (DORA) and other global regulations, says a whitepaper commissioner by Broadridge.
‘Building Resilience Across Borders: A holistic approach to global operational resilience and navigating the regulatory maze‘ highlights the extensive regulatory expectations and the strategic preparations necessary for compliance.
Industry needs to address ahead of the January 17, 2025 deadline
Mike Sleightholme, President of Broadridge International, said: “Now more than ever, operational resiliency is a critical priority for financial firms around the world, driven by a fundamental need to strengthen trust and security in response to the growing risk of cyberattacks and disruptions. The broad and in-depth scope of DORA mandates a significant transformation in risk management frameworks, policies and governance structures relating to both in-house and third-party systems, posing urgent challenges that the industry needs to address ahead of the January 17, 2025 deadline.”
Virginie O’Shea, Founder of Firebrand Research, who worked with Broadridge to develop the whitepaper, said: “Regulators are emphasizing and prioritizing operational resilience, yet there is a growing sense that many firms remain far from ready, exposing themselves not only to operational resiliency risk but also to regulatory compliance risk. Firms must act now to mobilize their DORA action plans, including a detailed assessment of their critical systems and services, and an impact analysis to ensure they can deliver a compliant operating model and meet recovery and reporting objectives aligned to DORA’s requirements.”
US, Canada, UK, South Africa, Japan, Hong Kong, Singapore, and Australia also tightening rules
The whitepaper concludes that besides the EU, regions such as the US, Canada, the UK, South Africa, Japan, Hong Kong, Singapore, and Australia are also tightening their operational resilience regulations.
The global scope and impact of DORA mandates significant changes to operational risk management and resilience across nearly all areas of financial services, impacting firms operating in the EU irrespective of where their headquarters and third-party suppliers are located, the report found.
“Clock is ticking, firms must begin their DORA compliance preparations now as the January 2025 enforcement date necessitates extensive system reviews and data reporting readiness,” said Broadridge, adding that firms must focus resources on mobilizing their action plan, potentially leveraging mutualized shared services.
The report also warns that noncompliance with operational resilience mandates is likely to result in stringent enforcement actions.
Adesso launched Compl.AI for DORA compliance
In July, Adesso launched Compl.AI, a tool that leverages generative AI to help financial services firms review contracts in adherence with the European Union’s Digital Operational Resilience Act (DORA) directive. Compl.AI will support banks and insurance companies operating under the directive which requires financial companies based in the EU to improve their IT resilience.
It will provide an automated review of service provider contracts for compliance requirements and allow repeated review of contracts in the event of changes in requirements.
Compl.AI is a SaaS solution leveraging GenAI technology and the collective knowledge of Adesso’s DORA experts to conduct a fast, automated gap analysis of contracts and documents to review compliance with all DORA requirements. The tool clearly defines whether the requirements have been fully, partially, or not fulfilled, including source and page references.
Adesso’s new product aims to reduce the burden on banks and insurance companies, which often have hundreds of contracts in place with different ICT service providers. Laborious manual checks by in-house specialists or expensive external reviewers are now a thing of the past. It is also possible to re-examine amended contracts or perform another check if regulatory requirements are updated.