The Digital Operational Resilience Act (Regulation EU 2022/2554) (DORA) aims to improve operational resilience in regulated financial service providers (RSFPs), which fall under its scope, enabling them to withstand ICT-related disruptions and threats. DORA will apply from 17 January 2025.
In this article, we consider a recent fine imposed by the UK’s Prudential Regulation Authority (PRA) against a Chief Information Officer for operational resilience failures under the Senior Manager Certification Regime (SMCR), the UK equivalent of the Central Bank of Ireland’s (CBI) incoming Individual Accountability Framework (IAF). We also discuss the enforcement powers of competent authorities such as the CBI and potential penalties which will apply under DORA.
PRA Fine – a warning for individual accountability?
A recent fine imposed by the Prudential Regulation Authority (PRA) in the UK may be regarded as a warning to both RFSPs and senior executives of the importance of operational resilience. The UK retail bank, TSB Bank plc (TSB), migrated its IT system to a new platform which immediately experienced issues, resulting in customers suffering significant disruptions to its banking services. Following an investigation, the PRA fined TSB’s former Chief Information Officer £81,620 under the SMCR for failure to take reasonable steps to ensure that TSB adequately managed and supervised the IT migration programme. This followed an earlier fine of £48,650,000 imposed by the PRA and Financial Conduct Authority for operational resilience failings by TSB.
Although this case occurred in the UK, it demonstrates the potential implications of failure to adequately manage operational risk when outsourcing critical functions and the importance placed by regulators on operational resilience, due diligence, and oversight of outsourcing arrangements. DORA introduces an additional layer of obligations and governance requirements for managing ICT risks which RFSPs must consider in outsourcing arrangements, alongside the CBI’s Cross-Industry Guidance on Outsourcing and Operational Resilience, respectively, and other regulatory requirements (as applicable).
Commentators in the UK have also suggested that this case has breathed new life into the SMCR, under which enforcement actions to date have been relatively rare. It is also a timely reminder of the possible adverse implications of the proposed IAF regime for Irish RFSPs and the senior management involved. In particular, this UK enforcement action demonstrates the attention placed by a regulator on an individual’s statement of responsibilities, and it will no doubt focus minds in an Irish context as firms grapple with their IAF implementation projects.
Enforcement Powers under DORA
DORA will introduce enforcement powers that the CBI may exercise, which will operate in tandem with the IAF once both regimes are in force.
Competent authorities (including the CBI) will be given broad enforcement powers under DORA, including:
- accessing any document or data held in any form and receiving or taking a copy of it;
- carrying out onsite inspections and summoning representatives of RFSPs for an explanation of facts or documents relating to an investigation and interviewing any individual or entity who consents to interview as part of the investigation; and
- requiring corrective and remedial measures for breaches of DORA.
Penalties and Remedial Measures
Member States must lay down appropriate administrative penalties and remedial measures for breaches of DORA. This includes an option of criminal penalties for certain breaches. Penalties or remedial measures must at least include:
- issuing an order requiring the individual or entity to cease and desist conduct in breach of DORA;
- temporary or permanent cessation of practice or conduct contrary to DORA and preventing a repetition of the practice or conduct;
- adopting measures, including pecuniary measures, to ensure RFSPs continue to comply with the requirements of DORA;
- requiring data traffic records held by telecommunications operators (insofar as permitted by national law) where there is a reasonable suspicion of a breach; and
- issuing public notices, including public statements indicating the identity of the individual or entity and the nature of the breach.
Where an RFSP carries out a breach, competent authorities can apply administrative penalties and remedial measures (subject to national law) to management body members (i.e. the Board of Directors) or other individuals responsible for the breach.
If you would like further information or have any queries on how DORA could impact your business, please contact John O’Connor, Shane Kelleher, Eoin Caulfield, or your usual William Fry contact.
Please see our webpage here to hear about how we can support RFSPs in navigating the Individual Accountability Framework. If you would like to read further insights on DORA, please see our previous articles here.
Contributed by Claire O’Connor