Some financial companies, including credit institutions, payment service providers and e-money institutions, are already affected by extensive documentation and reporting obligations due to existing regulations - including the EBA guidelines, which require a "central" register of all outsourcing arrangements. The Digital Operational Resilience Act (DORA), which must be implemented throughout the EU by January 17, 2025, will tighten the existing requirements in the area of cyber security. All financial companies are now also required to set up an register of information containing all the IT services they procure.
Those responsible can use the overlaps resulting from both registers to their advantage if they use the right digital tools.
Familiar reporting obligations from EBA guidelines
Reporting on outsourcing is already familiar to banks, payment service providers and e-money institutions from the EBA guidelines. On February 25, 2019, the European Banking Authority published the final version of the „Guidelines on Outsourcing“ (EBA/GL/2019/02). These have been effective since September 30, 2019 and call for an updated register containing information on all outsourcing arrangements at institution level and, where applicable, on a sub-consolidated and consolidated basis and to adequately document all existing outsourcing arrangements. This outsourcing register must always be maintained and made available at the request of the authority.
The information to be provided and the extent of detail depends on the level of outsourcing risk. If a critical or essential function is affected, an extended risk analysis, current audit reports, exit strategies and alternative providers are needed in addition to the minimum requirements.
New requirements introduced by DORA
DORA tightens the reporting requirements for the IT services procured. All financial companies (including insurance companies, investment firms and crypto service providers) must record detailed information on their third-party ICT service providers in an register of information. The exact content and structure of the reports are specified in the technical implementation standards (ITS), submitted by the ESAs (European Supervisory Authorities) based on the EU regulation. Similar to the EBA guidelines, DORA also requires a classification of critical or important functions. One of the key changes is that the documentation of ICT service providers includes not only their subcontractors, but also the entire supply chain.
The aim: avoiding redundancies
There is a very high degree of overlap between the content of the register of information and the outsourcing register. In some cases, both registers contain very similar or even the same information: For example, the complete listing of outsourcing contracts; contract metadata such as term and notice periods; supplier information such as name, address, LEI (if available) and group structures; materiality and criticality assessments as well as outsourcing details (e.g. function and type/allocation).
In practice, however, accountability for the two registers often falls under completely different areas of responsibility. This means that work is doubled and can lead to transmission errors and redundancies if there is a lack of coordination. As in both cases supervision lies with the same authority (in Germany the BaFin, in Austria the FMA), it could therefore happen that companies report different information on the same outsourcing.
Necessary cross-sectional discipline
In order to create synergies when implementing the regulatory requirements, there must therefore be coordination between the outsourcing and information registers. Financial companies are required to break through the silo mentality within the departments and integrate the various stakeholders who have the required information in their operations into a digital workflow. To achieve this, those responsible must create a single point of truth including end-to-end business processes.
Fabasoft DORA offers the option of automating the entire outsourcing cycle, including the necessary reporting. With the help of a smart data model, the standardized software maps digital processes that are based on the workflow organization of the financial company. The various stakeholders access a standardized database and generate the required audit reports, such as the outsourcing and information register, in accordance with regulatory requirements at the touch of a button.
Interested in finding out more about how standardized software can help you implement DORA? Discover the advantages of Fabasoft DORA.
