The Digital Operational Resilience Act (DORA), the proposed European regulation for digital safety that is set to come into force by 2025, imposes requirements that are far too strict for pension funds and asset managers, according to the European asset management association EFAMA and Pensioenfederatie, the Dutch pension federation.
In their respective responses to the public consultation launched by the European Supervisory Authorities’ (ESAs) on the draft regulatory technical standards (RTS) of the Digital Operational Resilience Act (DORA), both organisations strongly criticise the lack of proportionality in the approach taken by the regulators.
The Pensioenfederatie and EFAMA both want regulators to instead propose a risk-based approach that better accounts for the differences in nature between financial organisations.
The Pensioenfederatie noted in its consultation response that the text of the DORA regulation looks as if it has been written specifically for banks. As such, it imposes safety controls that are far too rigid for pension funds, the organisation argued.
“A vital difference between business processes of pension funds and banks, lies in their periodicity. Pension funds pay out pension entitlements once a month, whereas banks process a high volume of transactions all the time. Therefore, the impact of an ICT-related incident is substantially lower, which warrants milder control measures,” the Pensioenfederatie said.
One size fits all
EFAMA voiced similar criticism in its consultation response: “The currently proposed “one size fits all” approach will be excessive for many financial institutions, including asset management companies. The ESAs should allow for elements such as smaller size, decreased complexity, criticality of systems and functions, as well as the entity’s risk assessment and appetite, to be taken into account, in particular when implementing the ICT risk management framework.”
The only form of proportionality currently proposed by the ESAs, is size. Specifically, a lighter regulatory regime is suggested for pension funds with less than a hundred members.
This does not mean much in practice, however, as the Pensioenfederatie noted.
“In the Netherlands, there’s no pension fund that has fewer than a hundred members. All pension funds must therefore meet all the requirements of the RTS that also apply to systemically important banks and global insurers.”
The lack of proportionality would lead to a dramatic rise in costs, Pensioenfederatie warned. “This will directly reduce members’ and beneficiaries’ pensions.”
Moreover, “a large amount of control measures applied in a rules-based fashion will disperse resources of pension providers and supervisors, rather than addressing the most serious risks,” the Pensioenfederatie stated.
Zuzanna Bogusz, regulatory policy advisor at EFAMA, also lamented “the high degree of bureaucracy incorporated in the draft technical standards”, especially when it comes to the mandatory reporting of “major” ICT-incidents.
The two organisations fear the barrier for an ICT incident to be qualified as major has been put far too low, leading to financial institutions being “overwhelmed with drafting procedures, filling in templates and gathering data, when their attention should be focused on prevention, detection and swift reaction to threats,” according to Bogusz.
She added: “Also, if a high proportion of ICT-related incidents qualify as major, it would become harder to detect those truly harmful ones and channel available resources towards them. In other words, it would be counterproductive for the task at hand.”