GPs warned of €100m fines due to DORA non-compliance
Asset managers will face fines of up to €100m (£82.2m) or five per cent of their company’s annual turnover if they are found to be in breach of an upcoming EU directive.
The EU’s Digital Operational Resilience Act (DORA) will come into effect on 17 January 2025, and asset managers have been warned that they face stiff penalties if they do not comply.
DORA requires all EU-based asset managers to implement strong information, communication, and technology (ICT) risk management, as well as stringent incident management, which involves identifying, reporting, responding to and recovering from ICT-related incidents.
Read more: Two-thirds of alternative fund managers hit by governance fines or sanctions
They are also required to conduct digital operational resilience testing every year, and to hold a register of all third-party ICT service providers, with a special focus on critical suppliers. Asset managers are also being asked to share information about cyber threats with the market.
The regulation will affect the EU financial sector and its service providers, as well as companies and entities outside the EU that provide services or do business with any financial market participants within the EU.
Ocorian Fund Services added that asset managers who rely on service providers for critical functions will need to adapt their outsourcing practices to comply with DORA. Third-party vendors must also be DORA compliant, so asset managers must ensure vendors have proper risk management, conduct penetration testing and provide evidence to regulators.
“While it might seem daunting at first, DORA compliance is achievable for asset managers through a pragmatic approach that leverages existing practices,” said Sharon Hodder, head of business partnering – technology, at Ocorian.
“By focusing on existing governance structures, leveraging GDPR efforts and identifying targeted gaps, firms can ensure compliance without a complete overhaul of their current practices.”
Read more: Private credit “tidal wave” of defaults never materialised
Ocorian added that DORA should not require a complete overhaul of a firm’s governance structure, but may involve identifying gaps and updating existing processes. This can be done in-house or with the support of a third party administrator.
“The good news is that many fund administrators and service providers are ahead of the curve and already adhere to most aspects of DORA,” said Stuart Geddes, chief information officer at Ocorian.
“Our regulatory and compliance experts – Bovill Newgate – are developing a new service to assist our clients and other institutions with achieving DORA compliance.”
Read more: BSL data flows are “inefficient”