Navigating the Evolving Landscape of Tech Regulations within Asset Finance

The financial services industry has always been highly regulated, and in recent years, the rapid pace of technological advancement has ushered in a new wave of regulations aimed at safeguarding the integrity, security, and functionality of financial institutions in the digital age. Key regulations, including DORA, NIS2, PS 21/3, and the Regulation on Electronic Invoicing, reflect a concerted effort by global regulators to ensure that financial services firms maintain robust technological and cybersecurity frameworks. This article delves into these critical regulations, highlighting their significance and implications for financial services firms.

1. Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a ground breaking piece of regulation introduced by the European Union to address the digital resilience of financial services institutions. The financial services sector has become increasingly reliant on digital infrastructure, making it a prime target for cyberattacks, data breaches, and operational failures. DORA aims to ensure that all firms within the EU financial sector can withstand, respond to, and recover from various ICT-related disruptions, such as cyber incidents and operational failures.

For financial services firms, DORA means bolstering internal processes, strengthening partnerships with technology vendors, and ensuring compliance with regulatory reporting requirements. However, the relevance of DORA has to be taken into consideration in the much wider strategic challenge of operational resilience, making it much more than a “regulatory tick box exercise”.

2. Network and Information Security Directive (NIS2)

The NIS2 Directive, which builds on the original NIS Directive, sets the foundation for enhanced cybersecurity across critical sectors in the European Union, including financial services. The directive is a response to the evolving threat landscape and the increasing sophistication of cyberattacks that have targeted financial institutions globally.

For financial services firms, NIS2 necessitates an enhanced focus on cybersecurity governance and compliance, as well as the integration of advanced cybersecurity technologies to meet stringent regulatory requirements.

3. PS 21/3 – Prudential Supervision of Outsourcing and Third-Party Risk Management

The PS 21/3 regulation, introduced by the UK’s Prudential Regulation Authority (PRA), is designed to ensure that financial institutions maintain robust oversight over outsourcing arrangements and third-party service providers. Given the growing reliance on outsourced technology services, including cloud providers, PS 21/3 seeks to mitigate the risks associated with third-party dependency, particularly in relation to operational resilience and financial stability.

For financial services firms, PS 21/3 emphasizes the need to closely monitor and assess the performance and risk exposure of all third-party vendors. This also means revisiting and renegotiating existing contracts to ensure alignment with regulatory expectations.

It must be noted that PS 21/3 has a much wider scope than outsourcing and third-party risk management, addressing the wider field of operational resilience.

4. Regulation on Electronic Invoicing

The Regulation on Electronic Invoicing is part of the European Union’s effort to streamline business processes and enhance transparency in financial transactions. Electronic invoicing, or e-invoicing, refers to the digital exchange of invoices between suppliers and buyers, eliminating the need for paper-based invoicing processes. The regulation mandates the use of a common European standard for e-invoicing in public procurement, which promotes cross-border trade and ensures the smooth exchange of goods and services across the EU.

For financial services firms, particularly those engaged in cross-border operations, compliance with the Regulation on Electronic Invoicing is essential for ensuring smooth transaction flows and minimizing operational inefficiencies.

5. AI Regulation in the European Union

The European Union’s AI Regulation is primarily shaped by the proposed Artificial Intelligence Act (AI Act), which aims to establish a comprehensive regulatory framework for the development, deployment, and use of AI across the EU. The regulation seeks to ensure that AI is safe, ethical, transparent, and aligned with European values.

Key Features of the AI Act

1. Risk-Based Approach: The AI Act categorizes AI systems into four risk levels:

2. High-Risk AI Requirements: For high-risk AI systems, the regulation mandates:

3. Compliance and Enforcement: The AI Act sets up a European-wide governance framework that includes national supervisory authorities and a European Artificial Intelligence Board. Firms developing or deploying high-risk AI systems will face regular audits and compliance checks.

4. Fostering Innovation: The AI Act also promotes innovation by encouraging the creation of AI regulatory sandboxes, allowing firms to test AI applications under regulatory supervision without full compliance burdens.

Implications for financial services firms

Financial services firms using AI, particularly in areas like credit scoring, algorithmic trading, and fraud detection, will need to ensure their systems comply with the high-risk classification requirements. This includes investing in robust governance frameworks, data quality controls, and transparent decision-making processes. Firms will also need to remain vigilant about ongoing compliance audits and be prepared for the Act’s enforcement mechanisms.

Author: Christoph Auerbach