The specialist team at Ashurst organised a helpful follow-up to their successful initial session on DORA. The number of questions from attendees of the first webinar was the primary motivation for organising a session focusing specifically on answers to practical questions posed by those attending.
A theme apparent throughout the session was that with the January 2025 DORA compliance deadline fast approaching, key aspects of the DORA regime – including the technical standards (RTSs) – remain incomplete. As a result much of the advice from even experts remains couched in conditional language. The team was very sympathetic to the pent-up frustration from those who will be responsible for ensuring their institutions are DORA compliant apparent in both the number as well as the tenor of the questions posed.
We have tried to summarize the Ashurst team’s answers to each of the questions tackled during the session. The Ashurst team very helpfully organized the questions into broad thematic categories that are reflected in a series of bite-size articles.
1. | Scope |
2. | ICT services in scope |
4. | ICT third party contracts |
5. | Business resilience |
6. | Extraterritoriality and existing rules |
A list of the Ashurst specialists contributing is included below. Any errors or omissions are those of the GRIP team.
The information below does not and is not intended to constitute legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is not intended to be relied upon in the making (or refraining from making) any specific decisions. |
Do you consider a “function” to be only services provided to customers or could there be critical or important functions that are internal?
Under DORA the definition of a “function” is broad and includes both client-facing functions as well as internal functions. A critical or important function can be nearly anything that might potentially materially impair the performance of the financial entity. For example, a firm’s inability to fulfil its regulatory reporting obligations would still be caught in the net even though no client would be directly affected.
Do you have feeling of how the term “supporting” a CIF has to be interpreted?
This would be a service that is ‘holding up’ a critical function and needs to be intrinsic or critical for that function to qualify. The definition of support is not that broad. And supporting in the context of critical function must mean a service that it so intrinsic to the ongoing performance or delivery of that function that a failure would cause either material harm or significant disruption. This definition and how it is interpreted by the firm should be added to the risk management framework. This should then be utilized as an objective marker of how the firm has chosen to interpret this with a consistent methodology used to categorize functions.
Is there a view on the read-across between the UK’s concept of IBSs vs. CIFs?
This is an interesting cross-jurisdictional question and engendered a lively discussion amongst the Ashurst specialists.
Many firms are starting with what they have identified as important business services under the UK operational resilience framework or critical functions/critical services under national implementation of the Bank Recovery and Resolution Directive (BRRD). This is probably a very good place to start.
But the team drew attention to the differing definitions of “critical and important function” and “important business services” in DORA and the FCA Handbook respectively, suggesting that the FCA definition is ultimately focused on services that are “client facing” and that the definition is “looking outward” as a result. The implication was that different functions would be identified under each definition with the DORA definition focusing more broadly on what is critical to the day to day operations of the business.
In either regime an entity should focus the outcome, which is operational resilience. Impact should be broken up into categories:
- client outcomes;
- consumer protection;
- firm (internal functions that the business will not be resilient without); and
- markets.
Both the regulatory regimes are not intended to prevent all risk or harms, but are meant to focus the attention of financial entities on what to do afterwards. And DORA in particular is about testing the plausible outcomes of scenarios under which technology supplied by a vendor fails. Having a plan on what to do is a critical aspect of resilience, because if you have not built plans to recover you can end up in a wind-down situation, which is what the BRRD is primarily focused on, but for all the regulators concerned an orderly wind-down is obviously an outcome of last resort.
It is useful to reproduce these definitions here for context (underlining by the Ashurst team):
Dora definition | FCA Handbook definition |
A “critical or important function” means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorization, or with its other obligations under applicable financial services law | “Important business service” means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could: 1) cause intolerable levels of harm to any one or more of the firm’s clients; or 2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. |
GRIP View
We felt that the key here was the focus of both definitions on the identification of functions whose failure might lead to a material impact on or harm to clients. In our view even where a service is not directly externally facing, but its failure or disruption would cause ‘intolerable levels of harm” to clients it would still constitute an important business service under the FCA definition. Where the two definitions differ quite significantly is in connection with services whose failures might not necessarily have client impact.
The DORA definition is far more stringent with a focus on authorization and financial services law obligations of the firm. In other words, under DORA a function could be deemed critical or important in instances where its failure might lead to a firm not being able to meet its regulatory obligations for instance. The UK definition is more generously drafted and focuses on the financial system and markets more generally. Under this definition a failure of a firm to meet its regulatory obligations would only qualify in an instance where this undermined the soundness of the system or orderly operation of the markets.
Ashurst Team
Alexander Duisberg, Arnav Gupta, Bradley Rice, Detmar Loff, Hubert Blanc-Jouvan, Nisha Sanghani, Tharaka Boralessa, and Vidhi Mahajan.