June's Risk Management Spotlight: Navigating Digital Market Regulations

June has proven to be a busy month for risk management in digital markets. Regulators worldwide have released new guidelines and conducted tests to ensure the resilience and security of financial systems.

Europe's Digital Operational Resilience Act (DORA)

The European Commission published two Delegated Regulations under DORA, detailing the criteria for identifying critical ICT third-party providers and outlining the oversight fees they will incur. This is a significant step towards DORA's implementation, requiring financial entities and ICT service providers to align their operations and contracts with the new rules.

The European Central Bank (ECB) also issued a comprehensive guide on outsourcing cloud services to cloud service providers. This guide emphasises a risk-based approach, focusing on procuring cloud solutions and providing detailed supervisory expectations for financial institutions. It complements DORA and the EBA Guidelines on outsourcing arrangements.

Furthermore, a DORA dry run is scheduled for the second half of 2024, allowing financial entities to test their ability to create and submit information registers on their contractual arrangements with ICT third-party providers.

EBA's Consultation on Operational Risk

The European Banking Authority (EBA) initiated a consultation on draft regulatory technical standards (RTS) for operational risk under CRR3. The RTS address risk taxonomy and classification, the definition of "unduly burdensome," and adjustments for merged or acquired entities. These proposals aim to strengthen the framework for operational risk management, impacting data collection, reporting, regulatory capital calculations, and operational resilience.

Singapore's Focus on Data Governance

The Monetary Authority of Singapore (MAS) published a guidance paper on data governance and management practices for banks and finance companies. The paper emphasises robust data governance and outlines supervisory expectations, observations from inspections, and areas for improvement.

International Concerns: Market Outages

The International Organization of Securities Commissions (IOSCO) released a report on market outages, proposing good practices for trading venues to enhance resilience. The report focuses on establishing outage plans, communication strategies, transparent reopening procedures, and lessons-learned exercises.

Key Takeaways for Financial Institutions

• DORA Compliance: Financial entities must understand and comply with the new DORA regulations, assess their reliance on critical ICT third-party providers, and update contracts accordingly.

• Cloud Outsourcing: Financial institutions outsourcing to the cloud should follow the ECB guide, conducting thorough due diligence on cloud service providers and implementing robust risk management frameworks.

• Operational Risk Management: Firms must adapt to the new EBA draft RTS and prepare for data collection, reporting, and regulatory capital calculations changes.

• Data Governance: Banks and finance companies should prioritise data governance, ensuring board oversight, establishing data management frameworks, and maintaining data quality.

• Market Resilience: Trading venues should adopt IOSCO's good practices to enhance their resilience against market outages and improve communication during disruptions.

Overall, the regulatory updates in June highlight the increasing focus on risk management in digital markets. By addressing these requirements proactively, firms can enhance their operational resilience, safeguard against cyber threats, and ensure the integrity of their data and systems.