Table of Contents
Click to navigate to section
Part I: Corporate Governance and Risk Management at U.S. Banks and U.S. BHCs
a. Historical Background
b. Legal and Regulatory Duties of Directors and Management at U.S. Banks and U.S. BHCs
c. Supervision of Bank Governance and Risk Management at U.S. Banks and U.S. BHCs
d. Policy Issues with the Current Requirements Applicable to Directors and Management
Part II: The Digital Operational Resilience Act
a. DORA’s Approach to the Management of ICT Third-Party Risk
b. Similarities to Existing Outsourcing Frameworks
c. Divergences from Existing Outsourcing Frameworks
Part III: Recommendations for a More Effective DORA
a. Establishing a Proportionate and Risk-Based Regulatory Framework
b. Promoting Cross-Border Regulatory Harmonization and Coordination
c. Facilitating Innovation While Promoting Operational Resilience
Executive Summary
In September 2020, the European Commission released a proposed regulation on digital operational resilience for the financial sector (“DORA”). DORA aims to establish a detailed and comprehensive framework on digital operational resilience for financial entities in the European Union (“EU”). DORA includes provisions governing the manage-ment of risks associated with financial institutions’ outsourcing of technology functions to technology providers and mandating direct regulatory oversight of critical technology pro-viders. Those provisions, and their application to cloud service providers, are the focus of this report.
Our report begins by providing an overview of the costs and benefits of cloud tech-nology for financial companies; we find that cloud technology can offer significant benefits to financial companies. We then describe the current regulatory frameworks that apply to financial institutions’ use of third-party technology providers, including cloud service pro-viders, in various jurisdictions. Next, we describe key provisions of DORA that apply to cloud and other technology service providers and how such provisions are similar to or diverge from the current frameworks described in the previous section. We conclude by recommending that the EU revise DORA in certain key respects to better align with the approach in other jurisdictions as DORA’s divergences from other jurisdictions’ regulation of cloud and other third-party technology services may unnecessarily discourage the adoption of such services by financial companies.
Part I of the report provides background on technology outsourcing in the financial sector and current regulatory and supervisory frameworks. It provides a brief overview of financial institutions’ use of technology outsourcing and its risks and benefits, focusing on cloud computing. It then describes current supervisory frameworks governing outsourcing in the financial sector, with a focus on outsourcing guidelines issued by EU financial regulators.
Part II describes provisions in DORA governing the management of third-party risk by financial institutions, which include key principles governing sound management of third-party risk and a framework for direct oversight of third-party service providers deemed “critical” by EU supervisory authorities. It identifies similarities between DORA’s key principles governing third-party risk management and existing supervisory frame-works for outsourcing. It then describes key elements of DORA’s direct oversight frame-work, which represents a significant departure from current supervisory approaches to technology outsourcing.
Part III of the report then turns to an evaluation of DORA’s proposed direct over-sight framework, in light of its stated goals as well as its divergence from current outsourc-ing frameworks. DORA’s aims include establishing a proportionate and risk-based frame-work for digital operational resilience, which takes into account both the likelihood and magnitude of potential risks, as well as the cost of mitigating them; facilitating innovation while promoting digital operational resilience; and promoting cross-border regulatory har-monization and coordination. Part III of the report shows where the DORA’s direct over-sight framework falls short on those measures and outlines changes that could improve the effectiveness of the proposed oversight framework.
Part I: Technology Outsourcing in the Financial Sector; Regulatory and Supervisory Frameworks
a. Technology Outsourcing in the Financial Sector – Benefits and Risks
Financial institutions in the United States, EU, and other major markets increas-ingly outsource certain functions to technology service providers (“TSPs”). For example, banks, insurers, and asset managers frequently contract with TSPs for data storage and infrastructure, network management, analytics, and software. These tools help financial institutions manage customer relations, monitor regulatory compliance, and execute core business functions like lending and trading.
One growing segment of technology outsourcing involves cloud computing: the use of computing resources over a network (such as the internet) in a manner that scales automatically with demand and allows customers to pay based on their usage. Financial institutions use cloud services to support various functions, such as delivering mobile services to clients and processing payments. Cloud adoption by financial institutions in-creased threefold from 2016 to 2018, and this trend is expected to continue.
The use of cloud services by financial institutions is associated with both benefits and risks. Cloud computing can help enhance security and operational resilience in the financial sector. Benefitting from economies of scale compared to their individual clients, cloud service providers can make larger investments in digital security and automated systems to detect and remedy issues quickly. Major cloud platforms are built to support stringent security requirements, allowing clients to manage cyber risk using best prac-tices, standards, data encryption and activity logging. The distributed nature of storage and processing in the cloud can also provide financial institutions with greater operational resiliency: cloud providers, for example, can distribute data centers geographically in or-der to mitigate the impact of disruptions in any single region. The computing resources made available through the cloud can also facilitate the deployment, by both financial institutions and their regulators, of stronger data analytics tools, which can improve com-pliance monitoring, risk management, and supervisory analysis.
Another potential benefit of cloud computing is lower costs. The use of cloud ser-vices can help lower financial institutions’ technology infrastructure costs, by obviating the need for firms to make significant capital expenditures in proprietary data centers. This translates to increasing agility when financial institutions develop new products and ser-vices; the cloud’s scalability allows financial institutions to test new scenarios, software tools and alternative configurations without a lengthy purchasing and provisioning process. Widespread use of cloud can also facilitate financial sector competition, by provid-ing smaller firms and start-ups with access to cost-effective technology resources that would otherwise be available only to larger, well-established financial institutions.
The use of cloud services by financial companies may also involve novel risks. Some of these risks arise out of the unique technical features of cloud computing. Cloud computing depends on multi-tenancy: the ability of multiple clients to share the same pool of computing resources. Multi-tenancy can give rise to the risk that other parties may have access to the same computing environment as financial institutions that use the cloud, which could potentially allow unauthorized parties to access financial institutions’ data. Cloud service providers protect against this possibility by virtually segregating workloads and data using techniques like firewalls; more advanced cloud providers have addressed multi-tenancy risk by blocking access by unauthorized parties at the chip level.
b. Current Requirements on Financial Sector Technology Outsourcing
In response to the increasing trend of financial institutions outsourcing technology functions to cloud and other TSPs, financial regulators have issued principles-based reg-ulations and guidance addressing outsourcing by financial institutions. This section pro-vides a brief overview of the comprehensive supervisory frameworks governing outsourc-ing by financial institutions, with a focus on outsourcing guidelines issued by the European Banking Authority (“EBA”), European Securities and Markets Authority (“ESMA”) and the European Insurance and Occupational Pensions Authority (“EIOPA”) (collectively, the “European Supervisory Authorities” or “ESAs”).
In 2019, the EBA published revised outsourcing guidelines, which incorporated earlier EBA recommendations on outsourcing to cloud service providers. And in 2020, both ESMA and EIOPA issued cloud-specific outsourcing guidelines. These guidelines, where implemented, superseded existing outsourcing regulations and guidelines issued by national financial regulators. They also overlap with non-financial sector specific cy-bersecurity legislation, such as the Directive on Security of Network and Information Sys-tems (NIS Directive, which the European Commission recently proposed to revise) and the General Data Protection Regulation (GDPR),19 that are relevant to technology out-sourcing by financial institutions.
A common theme of the existing supervisory frameworks for outsourcing is that financial institutions that use TSPs retain primary responsibility for assessing and man-aging risk in connection with the outsourced services; financial institutions’ responsibility and accountability for outsourced services cannot be delegated to TSPs. Another shared principle is that regulatory expectations vary based on the relative importance of outsourced functions: stricter criteria apply where financial institutions outsource material, critical or important functions. Factors that are considered when determining the im-portance of a function include whether it has a strong impact on a financial institutions’ risk profile or internal control framework. Relatedly, supervisory frameworks generally emphasize that financial institutions should assess and monitor outsourcing arrange-ments, and regulators should review compliance with outsourcing standards, following a risk-based approach—taking into account both the nature of the outsourced function and its potential risks.
1. Outsourcing Prerequisites
Outsourcing frameworks generally impose prerequisites on outsourcing, such as pre-outsourcing risk assessment and due diligence and prior notice to regulators. The EBA guidelines direct financial institutions, before engaging in outsourcing, to undertake a preliminary risk assessment of a TSP and the services to be outsourced. The United States’ supervisory framework imposes similar requirements: outsourcing guidelines pub-lished by the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body composed of U.S. bank regulators, provide that a banking institution should perform due diligence on a TSP in order to ensure that it meets the institution’s needs. In a more recent informational notice on cloud computing, the FFIEC emphasized that security-related risks should be identified during planning, due diligence, and the selection of the cloud service provider.
The EBA guidelines also provide that financial institutions should inform their re-spective regulatory authorities in a timely manner or engage in supervisory dialogue with competent authorities regarding planned outsourcing of critical or important functions (or where a previously outsourced function becomes critical or important). Both the ESMA and EIOPA cloud outsourcing guidelines include similar requirements. Other jurisdic-tions, such as South Korea, require regulatory approval for certain kinds of outsourcing, including the use of cloud services.
2. Data Protection and Security
Regulatory authorities generally emphasize the importance of data protection and security issues in connection with outsourced activities.
The EBA outsourcing guidelines require that financial institutions ensure that ser-vice providers comply with appropriate information security standards, and that data and system security requirements are defined within the outsourcing agreement and continue to be monitored for compliance. The guidelines also mandate that financial institutions include in outsourcing contracts for critical or important functions provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data. Similarly, the ESMA guidelines provide that an outsourcing firm should set information security require-ments in its cloud services agreement, in a manner that is proportionate to the nature, scale and complexity of the outsourced function. And the EIOPA guidelines direct in-surers, when outsourcing critical or important functions to the cloud, to define specific information security requirements in their cloud services agreements and monitor compli-ance on an ongoing basis.
Although outsourcing frameworks typically do not impose any specific measures regarding the storage and usage of data, they do expect financial institutions to consider whether specific measures are necessary to appropriately protect data. The FFIEC’s informational notice on cloud computing, for example, outlines relevant risk management practices for cloud security management, including security controls for data.
3. Additional Requirements for Sensitive Personal Data and Customer Information
Some regulators set forth specific requirements or guidance in connection with sensitive data, such as personal information. The EBA outsourcing guidelines, for example, mandate that financial institutions take a risk-based approach to seeing that sensitive data is adequately protected and kept confidential by TSPs. In particular, financial insti-tutions are required to take into account differences between privacy regimes in different jurisdictions, especially in connection with the requirements imposed by the GDPR. The ESMA and EIOPA guidelines likewise note that financial firms should take special account of sensitive data, and the potential impact of GDPR requirements, when outsourcing to cloud service providers. The FFIEC outsourcing guidelines require banking institutions to ensure that service providers have appropriate measures in place to comply with ap-plicable laws and supervisory expectations governing the confidentiality of customer in-formation.
4. Cross-Border Outsourcing
Outsourcing frameworks also address cross-border outsourcing. The focus on the location of data has become particularly salient in connection with the use of cloud services. The EBA, ESMA and EIOPA outsourcing guidelines require financial institutions to adopt a risk-based approach to data storage and processing locations, and to consider differences between jurisdictions regarding the protection of data. The EBA and ESMA guidelines also direct national financial regulators to ensure that they can perform effec-tive supervision, in particular when institutions outsource critical or important functions, outside the EU/European Economic Area. FFIEC’s cloud computing guidance similarly notes that a banking institution should understand the applicability of laws within a host country and the banking institution’s ability to control access to its data before transferring data to another jurisdiction. Several jurisdictions have imposed data residency require-ments in connection with technology outsourcing, such as the use of cloud services.
China, for example, requires that all storage, processing and analysis of personal financial information must be conducted within China.
5. Business Continuity and Exit Strategies
Outsourcing frameworks generally require that financial institutions put in place business continuity plans dealing with service disruptions and other contingencies—es-pecially the ability to terminate the outsourcing arrangement without disrupting any material functions. The EBA outsourcing guidelines require financial institutions to implement arrangements to maintain their ongoing functions if services provided by a service pro-vider fail or deteriorate to an unacceptable degree. Similarly, the ESMA and EIOPA guidelines direct outsourcing firms, when outsourcing critical or important functions, to ensure that effective business continuity and disaster recovery controls are in place. The cloud computing notice recently published by the FFIEC provides that a banking in-stitution’s management should review and assess the resilience capabilities and service options available from a cloud service provider, and the outsourcing contract should out-line the capabilities required by the institution. In addition, management should regularly update and test resilience and recovery capabilities—testing which may need to be conducted jointly with the cloud provider.
A critical aspect of business continuity, emphasized across outsourcing frame-works, is the ability to smoothly terminate an outsourcing arrangement. The EBA out-sourcing guidelines, for example, provide that a financial institution should make sure that it can exit a service arrangement, if needed, without disrupting provision of services and without being detrimental to the continuity of its services. To that end, the guidelines require that outsourcing financial institutions develop and test comprehensive exit plans and identify alternative solutions to enable them to retrieve outsourced functions and data from a service provider and transfer them to alternative providers or back to the institu-tion. The EBA guidelines also mandate that outsourcing agreements include an obliga-tion for service providers to support, in the event of termination, a financial institution in the transfer of activity, data or services to another service provider or back to the institution. The ESMA and EIOPA cloud outsourcing guidelines impose similar requirements in connection with the termination of cloud outsourcing arrangements. Cloud-specific guidelines issued by other regulators include detailed, specific requirements regarding termination of cloud service arrangements.
6. Ongoing Monitoring and Risk Management
Regulators generally require financial institutions to have monitoring and control frameworks in place for outsourcing arrangements and underscore that risk assessment and management continue after a financial institution enters into an outsourcing arrangement. They mandate that financial institutions review and monitor the performance of service providers on an ongoing basis using a risk-based, proportionate approach. Regulatory authorities focus on two aspects of outsourcing institutions’ ongoing responsibilities: (1) securing certain access and information rights, including the right to audit the service provider, and (2) ensuring that monitoring by financial institutions (particularly audits) is sufficient and meets generally recognized standards.
The EBA outsourcing guidelines, for example, require that financial institutions secure from service providers (including cloud providers) both a right to audit as well as a right of physical access to the service providers’ relevant business premises. Such access and audit rights are required for both the institutions themselves as well as, with respect to any outsourcing of critical or important functions, their regulatory supervisors. The EBA guidelines also direct financial institutions to ensure that they can carry out penetration testing to assess the effectiveness of security measures and processes. The FFIEC’s outsourcing guidelines provide that a banking institution’s outsourcing contract should specify the rights of the institution and its regulatory agencies to obtain the results of independent audits in a timely manner.
While each of the EBA, ESMA and EIOPA guidelines allows financial institutions to rely on third-party certifications and reports for ongoing monitoring in certain circumstances, they require that those certifications and reports be based on generally recognized auditing standards and be performed by auditors with adequate expertise. The guidelines impose consistent standards in connection with community audits organized by a group of financial institutions that appoint a lead auditor from one of the institutions or an independent third-party auditor on their behalf. Similarly, FFIEC’s cloud computing guidance recommends that banking institutions make use of auditors to eval-uate the adequacy of cloud service providers’ internal controls, and in particular, notes that the assistance of third-party auditors with expertise in evaluating cloud environments may be necessary.
7. Authority of Financial Regulators
Importantly, most financial regulators, including the ESAs and national financial regulators in the EU, currently lack the authority to directly supervise TSPs to ensure that regulatory expectations are met, and therefore lack a well-developed framework for using their supervisory tools to engage with TSPs. To the extent that they have the authority to conduct inspections or obtain information from TSPs, it arises indirectly from mandatory audit and access provisions included in outsourcing contracts between financial institutions and TSPs. Their access is limited to what is included in the outsourcing contract. In this respect, the United States is currently an outlier: U.S. bank regulators have statutory authority to supervise TSPs that provide services to banks and the FFIEC has issued guidance to agencies on how they should supervise TSPs.
Part II: The Digital Operational Resilience Act
a. DORA’s Approach to the Management of ICT Third-Party Risk
DORA aims to establish a comprehensive framework on digital operational resili-ence for EU financial entities. It focuses on: (1) information and communication technol-ogies (“ICT”) risk management; (2) management, classification and reporting of ICT-related incidents; (3) digital operational resilience testing; and (4) managing ICT third-party risk. If enacted, the DORA provisions concerning the management of ICT third-party risk would alter the regulatory framework that applies to technology outsourcing by financial institutions in the EU, including their use of cloud services. DORA and any regulations promulgated thereunder would supersede current national regulatory provisions and supervisory approaches governing operational resilience and ICT security. To the extent that DORA conflicts with existing outsourcing guidelines issued by each of the ESAs, the ESAs are expected to bring those guidelines into line with DORA once it is finalized.
The DORA provisions on managing ICT third-party risk include: (1) key principles governing financial entities’ sound management of third-party risk; and (2) a framework for the oversight of ICT third-party service providers (“TPPs”) designated as “critical.” As described in Part II.B., the key principles set forth in DORA share important similarities with existing supervisory frameworks for outsourcing, including the current outsourcing guidelines published by the ESAs. For example, like existing outsourcing frameworks, DORA’s key principles provide that financial entities that outsource technology services retain primary responsibility for ICT risk management, including compliance with, and the discharge of, all obligations under DORA and applicable financial services law. DORA’s key principles also state that financial entities’ management of ICT third party risk must be implemented in light of the principle of proportionality, as is generally the case under other outsourcing frameworks.
DORA would also establish a new EU-level oversight framework for certain TSPs designated as “critical” by the ESAs. Specifically, the Joint Committee of the ESAs, upon recommendation from a newly established “Oversight Forum” composed of the ESA chairs and senior representatives from national financial authorities, must designate the TSPs that are “critical” for financial entities (“CTPPs”) according to specified criteria. The criteria include the: (i) systemic impact on the stability, continuity or quality of the provision of financial services if the TSP were to experience a large scale operational failure; (ii) systemic character or importance of the financial entities66 that rely on the TSP; (iii) reliance of financial entities on the services provided by a particular TSP in relation to critical or important functions of financial entities that ultimately involve that same TSP; (iv) degree of substitutability of the TSP; (v) number of EU member states in which the TSP provides services; and (vi) number of EU member states in which financial entities using the TSP operate.
The Joint Committee of the ESAs must appoint either the EBA, ESMA, or EIOPA as “Lead Overseer” for each CTPP. The Lead Overseer is responsible for the direct monitoring of a CTPP at the EU level to evaluate potential financial sector risks that it could pose, and is vested with broad supervisory authorities to discharge its responsibilities. The ESA that will serve as “Lead Overseer” for a particular CTPP is chosen based on the total value of assets of the financial entities using the CTPP’s services.
The CTPP oversight regime represents a significant departure from the current regulatory framework for technology outsourcing by financial institutions in Europe—EU financial regulators currently supervise and impose outsourcing requirements on financial institutions, but do not directly supervise TSPs. Key elements of this novel oversight framework are detailed in Part II.C.
b. Similarities to Existing Outsourcing Frameworks
This section focuses on similarities between DORA’s key principles for a sound management of ICT third-party risk by financial entities and existing supervisory frame-works governing outsourcing, including outsourcing guidelines published by the ESAs.
1. Outsourcing Prerequisites
Like existing outsourcing frameworks, DORA requires financial entities to under-take a risk assessment and due diligence before entering into a service agreement with a third-party service provider. This assessment and diligence process involves familiar elements such as determining whether the proposed arrangement covers a “critical or important function” and ensuring that the proposed service provider is suitable. And similar to the ESAs’ existing outsourcing guidelines, DORA’s key principles require financial entities to report new outsourcing arrangements to the applicable regulator.
2. Data Protection and Security
Like existing outsourcing frameworks, DORA’s key principles for a sound management of ICT third-party risk address security requirements associated with outsourcing arrangements: they provide that financial entities may only outsource ICT functions to service providers that comply with appropriate security standards. In addition, the proposed rules outline contractual provisions that must be included in a financial entity’s out-sourcing arrangements; these include requirements that the ICT service provider have in place security measures that satisfy the financial entity’s regulatory framework and provisions that address the integrity, security and protection of personal data.
3. Cross-Border Outsourcing
Like existing outsourcing regulations and guidelines, DORA’s key principles for the management of ICT third-party risk require financial entities to take into account risks associated with cross-border outsourcing. They provide that before concluding a contract with an ICT service provider in another country, financial entities should consider factors such as the data protection regime in place in that country, the effective enforcement of law, and constraints that may arise with respect to urgent data recovery. They also require contracts for ICT services to specify the locations where functions and services are to be provided, including the storage location, and require notification if any change in location is expected.
4. Business Continuity and Exit Strategies
In addition, the key principles set forth in DORA, like existing supervisory frameworks for outsourcing, require financial entities to plan for service disruptions and other contingencies, including by maintaining the ability to terminate a service arrangement with an ICT service provider without disrupting material functions. The DORA principles require financial entities to ensure that service arrangements are terminated under specific circumstances (for example, when the service provider has “evidenced weaknesses” in the way it ensures the security and integrity of sensitive data); to put in place comprehensive exit strategies to transition functions away from a service provider and maintain business continuity; and to include contractual provisions covering contingency plans, termination rights and exit strategies.
5. Ongoing Monitoring and Risk Management
DORA’s ICT third-party risk management principles also emphasize the im-portance of ongoing monitoring using a risk-based approach. As with the existing out-sourcing frameworks, the proposed rules require financial entities to secure access and information rights, including the right to audit the service provider. They also provide that audits should adhere to commonly accepted audit standards and, for outsourcing that involves a high level of technological complexity, a financial entity must ensure that auditors have the appropriate skills and knowledge to effectively assess the service provider.
c. Divergences from Existing Outsourcing Frameworks
This section highlights notable divergences between DORA provisions governing financial entities’ management of third-party ICT risk and existing guidance on technology outsourcing, focusing on DORA’s provisions concerning the direct oversight of TSPs deemed “critical.” As described above, there is no legal or regulatory precedent in Europe for the DORA CTPP oversight framework, which provides for the direct supervision of certain TSPs by EU financial regulators. The proposed direct oversight framework also represents a meaningful departure from the current oversight framework for TSPs in the United States, which involves risk-based—not prescriptive—supervision whose primary aim is to help client financial institutions comply with applicable legal requirements. Key elements of this novel oversight framework are summarized below.
1. Direct, Ongoing Supervision of CTPPs and Annual Oversight Plans
DORA establishes a robust supervisory framework that subjects each TSP designated as “critical” to direct, ongoing oversight by the ESA designated as its Lead Overseer. Under DORA, a CTPP’s Lead Overseer must assess whether the CTPP has sound, comprehensive, and effective rules, mechanisms, procedures, and arrangements in place to manage the ICT risks that it could pose to financial entities. The assessment includes, inter alia, the CTPP’s risk management processes, governance arrangements, physical security contributing to ensuring ICT security (e.g., security of data centers), ICT audits, and testing of ICT systems, infrastructure and controls. Based on this assessment, the Lead Overseer must adopt a “clear, detailed and reasoned individual Oversight plan” annually for each CTPP.
The proposed framework for direct supervision of CTPPs represents a significant departure from current supervisory approaches, in two respects. First, to the extent that financial supervisors currently have the authority to conduct inspections or obtain information from TSPs, that authority generally arises indirectly from provisions included in contracts with financial entities—not from independent regulatory authority. In addition, supervisors that have the legal authority, whether embodied in regulation or contract, to oversee TSPs, lack a well-developed framework for exercising it and rarely do so.
2. Information, Investigation, and Inspection Powers
To carry out its supervisory responsibilities, the Lead Overseer is vested with broad powers to request information and documents, including potentially sensitive data, from a CTPP and to conduct investigations and inspections of its business premises.
The Lead Overseer may request or require the CTPP to provide all information that is necessary for the Lead Overseer to discharge its duties under DORA. Information that must be provided includes “all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports” and information regarding parties to whom the CTPP has outsourced operational functions.
The Lead Overseer is also authorized to conduct general investigations, assisted by a dedicated examination team for each CTPP. Its powers in connection with investigations include the right to examine and take copies of records, data, procedures and other relevant material; summon representatives of the CTPP for oral or written explanations of facts or documents relevant to the investigation; and collect information, and request records of telephone and data traffic.
In addition, the Lead Overseer and examination team are empowered to access and inspect CTPPs’ business properties, including offices and operation centers, and to conduct off-line inspections. While inspecting a CTPP, they may seal the premises and any books or records, to the extent necessary for the inspection. Inspections cover a wide range of the CTPP’s property and systems, including all of the networks, devices, data and information that the CTPP uses in providing services to financial entities.
Within three months after an investigation or inspection is completed, the Lead Overseer must adopt recommendations for the CTPP, and immediately communicate these recommendations to the CTPP and to the national financial authorities that regulate its financial entity customers.
Financial regulators in most jurisdictions currently do not have the authority to directly investigate or inspect TSPs. To the extent that they have the right to conduct on-site inspections and obtain information from TSPs, it is only on the basis of limited contractual provisions included in service agreements with financial institutions. Financial regulators that lack that authority typically engage with TSPs on an informal, voluntary basis.
3. Lead Overseer’s Power to Issue Substantive Recommendations to CTPPs
DORA empowers the Lead Overseer to “address recommendations” to each CTPP regarding certain substantive issues relating to ICT risks. For example, recommenda-tions may address the use of specific ICT security and quality requirements or processes or the use of conditions and terms under which the CTPP provides services that the Lead Overseer deems relevant to prevent the generation of single points of failure. They may also address the CTPP’s planned subcontracting, where the Lead Overseer deems that subcontracting could trigger risks to financial stability or for the provision of services by the financial entity client.101 In addition, the Lead Overseer can recommend that the CTPP refrain entirely from entering into a subcontracting arrangement, if the prospective subcontractor is a TSP established in a third country and the subcontracting concerns a critical or important function of the financial entity.
Within thirty days of receiving the Lead Overseer’s recommendations, the CTPP must notify the Lead Overseer as to whether it intends to follow them. The Lead Overseer must then share this information with national financial regulators, which will monitor whether financial entities take into account the risks identified in the recommendations. The national financial regulators can require financial entities to temporarily suspend the use or deployment of a service provided by the CTPP until the risks identified in the recommendations have been addressed. When necessary, they can also require financial entities to terminate related contractual arrangements with the CTPP.
Under current supervisory frameworks, financial regulators do not have authority to issue substantive recommendations directly to TSPs on technical issues like the appropriate level of protection for confidential data. Instead, current guidelines set forth principles relating to issues that financial institutions—not TSPs—must consider when out-sourcing to a TSP. Similarly, financial regulators do not have authority to direct substantive recommendations to TSPs about the TSP’s planned subcontracting, or to recommend that a TSP refrain from entering into certain subcontracts.
DORA’s provisions for follow-up by national financial regulators are in some respects similar to existing ESA guidance. For example, the EBA outsourcing guidelines provide that a national financial regulator should take appropriate action, including by requiring exit from an outsourcing arrangement, when it concludes that a financial institution does not have robust governance arrangements in place or is not complying with regulatory requirements. There are, however, important differences between the proposed authority in DORA and the existing guidelines. The DORA authority focuses on failure of a CTPP to address specific recommendations, not a particular financial institution’s overall risk management relationship with a TSP. Moreover, the EBA guidelines heavily qualify the scope of national financial regulators’ authority: suspension or termination should only be required if “appropriate”, taking into account the financial institution’s “need [to] operate on a continue basis”, as a last resort if “supervision and enforcement of regulatory requirements cannot be ensured by other measures.” The corresponding provisions of DORA lack any similar qualifications.
4. Penalties Regime
If a CTPP does not comply with the Lead Overseer’s request for information or exercise of its investigation and inspection powers, the Lead Overseer is authorized to impose a financial penalty on the CTPP. The penalty is equal to 1% of the average daily worldwide turnover of the CTPP in the preceding business year, and is imposed on a daily basis until the CTPP comes into compliance, for no more than six months. Penalty payments are enforceable, in accordance with the rules of civil procedure in the EU member state where inspections and access are carried out. Certain due process protections are provided to the CTPP prior to the imposition of the penalty. The ESAs are generally required to publicly disclose any penalties imposed on CTPPs.
Under current supervisory frameworks, financial regulators in the EU and U.S. have limited authority to impose financial penalties on TSPs. As noted above, EU supervisory authorities can only require financial institutions to suspend or terminate their arrangement with a TSP, usually as a last resort, if they find that the arrangement violates a regulatory requirement or is not subject to a robust risk management framework. In the U. S., federal banking agencies have authority to take enforcement action against TSPs in connection with the performance of services for banks, to the same extent as if such services were performed by the bank itself. The threshold for bringing such an enforce-ment action is relatively high.
5. Financial Entities’ Use of Non-EU ICT Third-Party Service Providers
Certain provisions in DORA impose potential limitations on financial entities’ use of TSPs located outside of the EU. Under Article 28(9), financial entities are not permitted to “make use of” a TSP established in a third country, which has no business or presence in the EU, if the TSP would be designated as critical if it were established in the EU. In addition, DORA empowers a CTPP’s Lead Overseer to recommend that it refrain from entering into a subcontracting arrangement with a TSP established outside the EU if doing so would implicate a critical or important function of a financial entity client of the CTPP.
These requirements represent a departure from the current approach adopted by EU-level and national financial regulators. Under that approach, the location of a TSP is one risk factor among many that financial institutions must take into account, as part of their risk-based approach to outsourcing, in determining whether to outsource a particular function to the TSP. Similarly, national financial regulators are required to ensure that cross-border outsourcing does not impede their ability to engage in effective supervision, especially of critical or important functions. Neither of these limitations, however, cate-gorically restricts cross-border outsourcing.
Part III: Recommendations for a More Effective DORA
As described in Part II, the European Commission’s DORA proposal diverges substantially from existing regulatory and supervisory frameworks for TSPs, such as cloud service providers, that serve financial institutions. Most significantly, the DORA proposal would provide regulators with direct oversight of many of those TSPs, including the authority to issue substantive recommendations, impose penalties and prohibit the use of non-EU TSPs. We are concerned that this significant departure from existing regulatory and supervisory frameworks may discourage financial institutions from adopting new information and communication technologies, including cloud services, that could meaningfully enhance their operational efficiencies. It is unclear that such a step is appropriate to ensure that financial institutions’ use of third-party ICT is well-regulated.
DORA’s stated goals include: establishing a regulatory framework that is proportionate and risk-based; promoting cross-border regulatory harmonization and coordination; and facilitating innovation in financial services while ensuring operational resilience. The DORA proposal includes measures that will meaningfully promote these goals. But it also contains several provisions that, if adopted, could frustrate the achievement of each of these goals. We therefore recommend that the EU consider certain revisions to the current DORA proposal that would better align DORA with its stated goals and with other regulatory and supervisory frameworks for the use of cloud services by financial institutions. Our recommendations are set forth below.
a. Establishing a Proportionate and Risk-Based Regulatory Framework
The explanatory memorandum that accompanies the DORA proposal emphasizes that the “proposed rules do not go beyond what is necessary in order to achieve the ob-jectives of the proposal.” In addition, the memorandum states that the rules are meant to be “tailored to [the] risks and needs” of specific financial entities, based on their “size and business profiles.” As noted in Part II, the principle of proportionality is embedded in DORA’s key principles governing financial institutions’ management of ICT third party risk, which provide that such management shall take into account the “scale, complexity and importance of ICT-related dependencies” as well as “the risks arising from contractual arrangements … with ICT third-party service providers.” Another element of the DORA rules that reflects the notion of proportionality is the reservation, in several contexts, of heightened risk management protocols for the outsourcing of “critical and important functions”. DORA likewise instructs financial entities to adopt a risk-based approach to determining the frequency and scope of audits and inspections of TSPs.
The principle of proportionality, however, does not fully inform DORA throughout. In particular, the direct oversight framework prescribed by DORA falls short when meas-ured against the standard of proportionality. DORA provides the Lead Overseer with broad oversight and monitoring authority over designated CTPPs, including to issue pre-scriptive security and subcontracting recommendations, but does not require the Lead Overseer to exercise that authority in a proportionate and risk-based manner. There does not appear to be any limit, for instance, preventing the Lead Overseer from exercis-ing its oversight authority by issuing such recommendations with respect to any ICT services that a designated CTPP provides to a financial institution, even if that service is not used by the financial institution for a critical or important function. The absence of any such limitation represents a departure from existing guidelines; the EBA outsourcing guidelines, for example, direct national financial regulators to take a “risk-based approach” to assessing financial institutions’ management of outsourcing risks. DORA also does not provide CTPPs with a right to be heard in connection with the development of oversight plans, the conduct of examinations or the formulation of follow-up recommendations. A supervisory approach that enables CTPPs to give input on oversight plans would allow for risk monitoring and mitigation measures that are calibrated more efficiently.
Another example of DORA’s lack of proportionality relates to the financial penalty for non-compliance with the Lead Overseer’s recommendations: DORA grants the Lead Overseer the discretion to impose a daily financial penalty on a CTPP for non-compliance but not to determine the size of the penalty, which is set at a rigid one percent of the CTPP’s average daily worldwide turnover. Because the Lead Overseer cannot weigh other factors, such as the severity of the CTPP’s failure to comply or even the share of the CTPP’s average daily turnover that serves EU financial institutions, the imposition of this penalty is likely to be disproportionate to any specific compliance failure.
We recommend that DORA be revised to more comprehensively incorporate the principle of proportionality, especially with respect to the oversight framework for CTPPs. This recommendation is consistent with the similar recommendation of the individual chairs of the ESAs. Accordingly, the proportionality principle should be incorporated directly and explicitly in the oversight framework for CTPPs, just as it is for financial entities’ individual management of ICT third party risk. More specifically, the penalties regime should be revised to clarify that penalties should be imposed by the Lead Overseer in a manner that it proportionate, not punitive. The Lead Overseer should have discretion to set financial penalties for non-compliance at any amount up to a certain cap—for example, one percent of a CTPP’s turnover attributable to its financial services business (not all business) in the EU (not globally)—based on the severity of the CTPP’s non-compliance.
b. Promoting Cross-Border Regulatory Harmonization and Coordination
Another of DORA’s stated aims is to “put in place a detailed and comprehensive framework on digital operational resilience” in order to ameliorate the “overlaps, inconsistencies, duplicative requirements, high administrative and compliance costs” and undetected and unaddressed ICT risks resulting from the proliferation of disparate national regulatory and supervisory approaches. Regulatory harmonization is especially important in the case of financial institutions and TSPs, many of which operate in multiple jurisdictions and who are hampered by duplicative—or in some cases, inconsistent—regulatory or supervisory requirements.
DORA’s focus on regulatory harmonization is reflected in its key principles for financial entities’ management of third-party risk, which establish a single set of rules governing their service relationship with third-party service providers in order to promote crossborder regulatory harmonization. Similarly, the CTPP oversight framework is rooted in the policy judgment that EU-wide authority is needed to monitor risks stemming from TSPs. Moreover, the oversight framework subordinates national financial regulators to the authority of the ESAs, ensuring that CTPPs will only face a single set of EU requirements: once a CTPP Oversight Plan is finalized, national financial regulators may only take measures concerning CTPPs in agreement with the Lead Overseer. Although intra-European harmonization is the focus of DORA, the proposed rules also contemplate international cooperation between the ESAs and foreign regulatory authorities regarding the review of TSP risk management practices and controls.
While DORA takes significant steps toward regulatory harmonization—especially for the requirements governing financial entities—it falls short in several key areas. For one, the current proposal does not clarify how DORA’s provisions on the management of ICT third-party risk interact with relevant outsourcing guidance promulgated by the ESAs. In addition, the proposed allocation of powers between the ESAs and national financial regulators may give rise to regulatory fragmentation: national financial regulators are responsible for execution on and enforcement of the Lead Overseer’s recommendations at the financial entity-level and may take divergent approaches in doing so. There are also notable gaps in DORA’s approach to harmonization of regulatory and supervisory requirements applicable to TSPs. Although DORA explicitly defines the relationship between DORA and general cybersecurity requirements (in particular, the NIS Directive) for financial entities, it is silent on the relationship when it comes to TSPs, including CTPPs. Accordingly, it does not specify how the Lead Overseer responsible for oversight of a CTPP will coordinate that oversight with other supervisory authorities, such as cyber-security regulators, to which the CTPP is responsible in order to share information and mitigate redundancies.
DORA also could do more to enhance harmonization and coordination with non-EU regulatory and supervisory frameworks, given that many of the financial institutions and TSPs that are subject to DORA also operate outside the EU. As described in more detail in Part II of this report, many elements of DORA’s CTPP oversight framework differ significantly from non-EU financial regulators’ supervisory regimes with respect to TSPs. These divergences undercut efforts to harmonize supervisory schemes across jurisdictions. Moreover, DORA does not expressly contemplate coordination between the ESAs and CTPPs’ non-EU supervisors to mitigate regulatory and supervisory redundancies. Such coordination is especially significant given the possibility that other supervisory authorities might also seek direct oversight authority over major TSPs.
To ensure that DORA’s goal of enhancing cross-border harmonization and coordi-nation is met, we recommend that DORA be revised to clarify the relationship between DORA and the ESAs’ existing outsourcing guidelines (e.g., specifying explicitly that DORA supersedes current outsourcing guidelines). In addition, the respective roles and powers of the ESAs and national financial regulators within the CTPP oversight framework should be clarified, while underscoring the Lead Overseer’s executive position. DORA’s oversight framework for CTPPs should also recognize that many CTPPs will also be subject to oversight by both national cybersecurity regulators as well as foreign regulators. DORA should thus clarify how the Lead Overseer will cooperate with its cybersecurity counterparts in order to share information and eliminate redundancies. In addition, DORA should be revised to explicitly endorse cooperation with foreign financial regulatory and supervisory authorities in connection with promoting consensus around shared substantive principles for management of ICT third-party risk and oversight of TSPs, as well as coordinating and sharing supervisory assessments of TSPs that operate in multiple jurisdictions. Such cooperation could benefit regulators by allowing them to leverage the expertise of their supervisory counterparts, reduce redundant compliance obligations for TSPs and provide financial companies with information that can help them assess risks and comply with laws and regulations.
c. Facilitating Innovation While Promoting Operational Resilience
DORA is one of a series of European Commission proposals—including proposals covering regulation of cryptocurrency assets and distributed ledger technology market infrastructure—that are intended to “further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks arising from it.” The DORA proposal, in its preamble, acknowledges that financial institutions’ use of ICT services is driven by “their need to adapt to an emerging competitive digital global economy, to boost their business efficiency and to meet consumer demand.” Accordingly, DORA aims to strike a balance between enabling financial institutions to leverage ICT services to innovate in order to meet their evolving business needs, and ensuring that they do so in a manner that maintains their operational resilience. In several respects, DORA succeeds in striking that balance. As detailed in Part II, many of the key principles governing financial entities’ management of ICT third party risk closely track existing supervisory frameworks, especially the ESAs’ existing outsourcing guidelines. This consistency will allow financial entities, as well as TSPs, to take advantage of their existing risk management processes and controls, which they have already deployed effectively to support their operational resilience, to comply with DORA.
However, certain provisions of DORA could, if adopted, impede innovation by im-posing significant compliance costs without promoting operational resilience. Indeed, these provisions may actually hamper financial institutions’ operational resilience by restricting the use of operational or technological solutions to risk mitigation. For example, DORA subjects subcontracting arrangements of TSPs, particularly CTPPs, to a high level of scrutiny. TSPs, such as cloud service providers, regularly outsource select functions in a manner that allows them to deploy updates and address newly discovered vulnerabilities. Burdensome subcontracting restrictions could disrupt TSPs’ business operations (including their non-financial services operations), impeding their agility and innovation while also undermining their operational resilience. In addition, the ability of Lead Over-seers to take potentially sensitive information exposes CTPPs and, by extension, the financial companies they serve to significant security risk in connection with security breaches at a Lead Overseer.
Other provisions could also impede innovation without serving any discernable resilience benefit. As noted above, DORA restricts financial entities’ use of certain non-EU service providers: financial entities are not permitted to make use of a third-country TSP that has no business or presence in the EU if the TSP would be designated as critical if it were established in the EU. Although we understand that this provision would not apply to large U.S. TSPs that have business and a presence in the EU, such as AWS or Google Cloud, this restriction limits the availability of TSPs for financial institutions and favors incumbent providers over more innovative competitors. It may also undermine financial institutions’ operational resilience: in the case of cloud services, for example, the use of out-of-jurisdiction infrastructure allows financial institutions to distribute copies of applications or data to multiple locations (making them more difficult to target) and route incoming application traffic across geographic regions (making cloud services more resilient to local failure).
Accordingly, we recommend that DORA’s restriction on the use of non-EU service providers be eliminated. With respect to DORA’s provisions governing subcontracting, we recommend that those be limited to subcontracted functions that are “critical or important” to the operations of a financial institution. And DORA should explicitly allow, in connection with requests for sensitive information or data, for CTPPs and their Lead Overseers to cooperate to find alternative arrangements for a CTPP to provide responsive information that does not involve highly sensitive information or data leaving the CTPP’s premises.