Banks fret over vendor contracts as Dora deadline looms

Banks are racing to renegotiate contracts with thousands of technology vendors to ensure compliance with the European Union’s Digital Operational Resilience Act (Dora), which comes into force next January.

Dora requires financial institutions to identify and assess the criticality of their third-party service providers and ensure they have the right contractual clauses in place to manage any risks.

The head of operational risk at a large European bank says his institution has more than 1,000 service providers that will need to be assessed for compliance purposes. “That’s quite a lot of contracts if you want to remediate them,” this person says.

Without the final detail firms have not been able to implement

Capital markets technology vendor head

Industry sources say the scale of the contract remediation and repapering required means full compliance by Dora’s go-live date may not be possible. “I’d be surprised if anybody’s got 100% confidence they’re going to hit the January 17 deadline,” says the operational risk head at the large European bank.

“The reality is, we’re not going to be able to repaper everything as an industry,” they say, adding that regulators may need to “accept some form of transitional provision if the rump of [outstanding contracts] left is of relatively low risk”.

The head of operational risk at a second large European bank agrees that repapering vendor contracts is the biggest challenge banks face ahead of Dora coming into force. “The industry view is that contract remediation is the most challenging aspect,” they say, “not least because it isn’t entirely in the purview of financial institutions to address it in a timely fashion, as it needs the co-operation of third-party service providers. That, plus the volumes of contracts that need repapering across the industry generally.”

Disputes

Bank risk managers say smaller vendors in particular have been slow to react to Dora’s requirements and are not always familiar with the technical standards of the regulation.

In June, ING’s global chief information security officer Beate Zwijnenberg told WatersTechnology that some vendors were disputing that they provide information and communications technology (ICT) under Dora even after the bank had determined that they were.     

Zwijnenberg said many want EU regulators to release more information on the third parties expected to be in Dora’s scope. Without this, she notes many vendors are avoiding compliance with Dora, citing Article 31, which restricts the act’s application to ICT providers. These are defined broadly in the bill as vendors regularly offering digital and data services—a definition some industry groups have also criticized as being too vague.

Some blame EU regulators for delays in finalizing technical standards for determining which vendors are in scope. “People have been doing what they can and planning based on assumptions, but without the final detail firms have not been able to implement,” says the head of a capital markets technology vendor. “As things get finalized, there is then a rush to complete a large exercise in reduced timelines.”

He estimates that up to 20,000 vendors could be classified as ICT providers under Dora—including some not generally considered critical vendors by financial institutions. “There will be a large repapering exercise, which is a very time-consuming task. Ultimately proportionality and prioritization will be key,” this person says.

A number of banks have already begun the process of remediating their contracts with the capital markets technology vendor, which to-date has not objected to requests to amend existing terms. “Typically, they have the contractual right to do what it is that the regulation requires them to do,” says the vendor’s head.

It’s not just banks that are struggling with repapering vendor contracts ahead of the Dora deadline. “I recognize the concerns being raised,” says the chief risk officer of a large European asset manager. “The definitions, processes, frameworks and third-party agreements that need to be reviewed and updated are massive. And we struggle. A big part of it is the lack of clear definitions and requirements.”

In July, the Futures Industry Association and the Association for Financial Markets in Europe issued a joint statement warning financial institutions and third-party service providers were facing difficulties with Dora compliance and asking for “co-ordinated supervisory action to be taken in response”.

The statement reads: “Given the significant challenges regarding contract remediation, industry participants would also appreciate clarity from the regulators that applying a risk-based approach which prioritizes critical or important function contracts with a plan to remediate other providers is acceptable to the regulators and would not trigger any supervisory enforcement measures.”

The trade bodies noted that the final subcontracting technical standard was not expected to be published until the third quarter of 2024.

A European Securities and Markets Authority spokesperson declined to comment.