As anyone who is in the thick of it will know, changing the way a business operates (to a greater or lesser degree) to accommodate change such as regulation is burdensome.

DORA requires implementation of a lot of process. It specifies a number of policies and registers which the FSP should have in place (e.g. policy on the use of ICT services supporting critical or important functions and a register of information which Implementing Technical Standards require to be in a prescribed form).  There are also a considerable number of steps which need to be taken before an FSP can enter into a contractual arrangement on the use of ICT services e.g. see Article 28.4)

Processes

As a general point – I would always strongly recommend that any policies and procedures are made as practical and easy-to-use as possible.  They are there to be used, and probably used quite often.

Every time ‘something needs to be done’ e.g. an assessment made, or that assessment recorded in a register:

• Be really clear who needs to do it

• Make sure that person knows both that then need to do it, and exactly what they need to do

• Management needs to ensure that that person embraces this function as part of their role and is accountable for fulfilling it

• Try to break policies down by audience.  By all means have a 30-page overal policy, but if there are 3 things the risk team needs to do, put them in a separate policy for the risk team (specifying appropriate handoffs of course, e.g. when your assessment of X is finished, record the results of your assessment in Y register and notify A, B and C people).

Whilst tech isn’t the answer to everything – it can be hugely helpful (that’s what it’s for, after all).

• If the legal team doesn’t have one already, a ‘legal front door’ can be a game changer for helping the legal team identify quickly that this is an ICT services contract and therefore needs to go through certain prescribed procedures – in a way that receiving an email out of the blue won’t.

• As the procedure is likely to be relatively standard for these contracts – if they are likely to arise with relative regularity (which I would suggest is likely) it is probably worth looking into some kind of process automation.  This can (a) ensure that the right people are involved at the right stage of the process (b) (crucially!) record their input and (c) save probably more time than you think in chasing around for responses.

Repapering

 Whilst the general thrust and framework of DORA will be familiar to those who have dealt with the EBA outsourcing guidelines and UK SYSC rules, there are some key differences:

• DORA applies to all ICT third-party services, not just ‘outsourcing’

• DORA requires FSPs to document ICT arrangements in one written document available to the parties on paper, or in a document with another downloadable, durable and accessible format

Accordingly, contracts which refer out to the FPS’s policies, or additional terms (e.g DPAs) will need to be included in the ICT agreement

Contracts that have been updated from time to time, e.g. where the SLAs have been tweaked by way of amendment, or where there are other ongoing change requests, will need to be consolidated

Article 30(2) mandatory contract provisions need to be complied with even if the contract for the provision of ICT services relates to supporting functions which are not “critical” or “important”

Those articles that I have mentioned generally originate from law firms that offer repapering services.  If you do choose to outsource the process (or elements of it):

• Be sure to produce, or get your law firm to provide you with, a playbook including provisions that are mandatory requirements – ideally with as much information as possible on each provision, so that you, and other members of your team, and any new joiners down the line, are able to defend these provisions going forward

•  Do if possible take the opportunity to capture any other contract improvements e.g. perhaps taking a more balanced position on clauses that often cause friction, and/or finding a better way to present your agreements

LegalTech can also be leveraged to help with the repapering process. This can capture your playbook and ideally will work seamlessly with any process management technology.

Of course if you would like help with

• Assessing whether DORA applies to your firm

• Reviewing your existing documentation (including processes and procedures and your contracts)

• Setting up playbooks

• Crafting bespoke process tech, or choosing a LegalTech tool
  

Talking Fox legal is here for you! just mail fox@talkingfox.co.uk