The European Banking Authority has published a speech by its chair, José Manuel Campa, on operational resilience in EU financial services. The speech comes as more technical standards are expected to be published in draft under the EU’s Digital Operational Resilience Act (DORA).
A high percentage of digital activity in financial services
The speech includes some interesting statistics regarding digitalisation trends in financial services. For example:
- Around half of EU banks report that between 75% and 100% of their customers primarily use digital channels for daily banking activities.
- More than 70% of EU banks use artificial intelligence in some areas of activities.
- EU banks are most often using AI in their creditworthiness assessments and credit scoring, as well as in fraud detection, commercial profiling and AML compliance. The use of chatbots is also increasing.
- 65% of EU banks have established partnerships with BigTech firms, mainly to facilitate the distribution of financial and other services.
More reliance on ICT third party providers
Mr Campa observes that the growing dependency on ICT third party providers can create risks to financial stability if their services are disrupted of fail. Supervisors are faced with the challenge of getting assurance about financial entities’ risk management and operational resilience, and understanding whether ICT providers are introducing more risks that could impact the financial sector.
It is in this context that the supervisory and regulatory framework – at international and EU levels – is progressively focusing on operational resilience.
Mr Campa notes that DORA will apply to almost all EU financial entities from January 2025 and that that the EBA, along with the other European Supervisory Authorities (ESAs), is currently developing complementary level 2 regulatory texts.
Data from financial entities will inform criticality of ICT TPPs
One aspect of DORA introduces a new supervision model for critical ICT third party providers. Mr Campa confirms that the ESAs will use data obtained from EU financial entities about the ICT services that they receive from third party providers to determine some of those suppliers as being “critical”, using criticality criteria. This exercise will be done on an annual basis and the list of critical ICT providers will be published.