A critical success factor for financial services organisations in implementing the EU Digital Operational Resilience Act (DORA) is in creating a path to resilience maturity. With the countdown to the January 2025 deadline well underway, what technologies are essential to not only achieve compliance but deliver competitive advantage?
Establishing a rules-based system
A polycrisis of global risks is mounting more pressure on the regulator with demands for better transparency and the need for a more resilient EU financial system. The recent CrowdStrike-caused outage, with, according to Reuters, global economic damages estimated to reach tens of billions of dollars, underscores the importance of robust cybersecurity measures and disaster preparedness and makes this EU initiative even more vital.
DORA aims to build resilience in EU financial services and tackle these increasing risks in ICT and cyber. With the euro area’s trade with other regions amounting to more than 60% of its GDP a rules-based system of financial relationships is essential.
But advancing security and preparedness to meet regulation remains an ongoing challenge for firms. Boards and risk management teams regularly deal with an array of current risk and compliance to keep up with legislation. Case in point, significant penalties can be imposed for DORA non-compliance, including substantial fines and other enforcement actions as deemed fit by national competent authorities (NCAs).
You can see why regulatory technology (regtech), the use of information technology to enhance regulatory and compliance processes, has become essential to help firms keep pace. And why regtech has been leveraging AI effectively for some time, particularly in reducing false positives in fraud detection and delivering more accurate alerts.
Becoming data-driven
DORA requires firms to look at their technology state and know their systems, risks and dependencies, especially with third parties. The framework for compliance includes creating an inventory of digital assets, the ability to classify and report incidents and regular risk assessments of legacy ICT systems. This means being data-driven, understanding usage and patterns and continuously measuring and evidencing compliance states.
But for many firms being data-driven is hampered by legacy systems. How can firms fully respond to regulatory pressures if they cannot easily modify their systems. How can firms unlock AI's full potential to aid compliance without a solid foundation of clean data?
Organisations need systems that capture data in clear and organised ways, composable architectures that allow for quick deployment of new features and functions and a deeper understanding of their workflows and business logic that is currently buried in their systems.
Modernising legacy systems is a daunting task for many firms. This challenge involves digging deep into core systems to update and optimise them from the ground up—a process often seen as complex and risky. But with the growth in AI, more businesses recognise that simply building on top of core systems is no longer enough.
As mentioned, regtech has leveraged AI effectively for some time. The advancements in these generative AI models are remarkable, enabling them to handle various natural language processing (NLP) tasks, including answering questions conversationally, generating and classifying text and translating languages.
Large language models (LLMs) bring an added advantage: they are natively polyglot and can look across multiple languages and can process data from multiple sources—visual, audio, and written. This capability enhances transcript accuracy for training and surveillance, offering a more comprehensive approach to regulatory technology. However, generative AI can get things wrong or even make things up (known as hallucinating) if it can’t find the information it needs. We’ve learnt that accurate prompting is essential and that generative AI can be shaped by asking it to adopt an approach or specific persona.
Complex and subtle banking automation
To make generative AI more reliable (without sacrificing creativity and flexibility) Endava has embraced a new concept called agent-based AI, or agentic AI. Flexible enough to work in real-world situations and deliver results with a high degree of accuracy and reliability, our agentic AI industry accelerator, internally called Morpheus, is a first-of-its-kind solution that could deliver some potent efficiencies in compliance.
AI agents automate complex tasks that require domain expertise and adaptable thinking. These agents work together to ensure reliable outcomes and can be deployed in any enterprise environment using a powerful reference architecture. They seamlessly integrate with major LLM models and cloud platforms and their transparent reporting makes them suitable for use in highly regulated industries.
This form of generative AI effectively automates business processes that are too complex and subtle to be accomplished with conventional process automation and builds on four generative AI advances:
- Agents have roles with specific knowledge, objectives, biases and constraints
- Agents use tools such as email, CRM systems and office tools
- Agents follow workflows unlike conventional process automation, workflows can be flexible and include value judgements rather than strict ‘true/false’ conditional statements that often fail to reflect reality
- Agents can collaborate as ‘teams’ of agents working together to resolve complex tasks
Consider agentic AI taking up the roles of the regulator and the company senior risk or compliance officer, assessing the existing data, evaluating risk and potential exposure while checking and validating any reportable exposure against DORA’s frameworks. Then preparing a predetermined report to be reviewed by the chief risk officer ahead of any submission to the appropriate regulatory bodies. Before they request it.
You could also go a step further, whereby AI generates remediation and recommendations, quickly converted into a plan that could demonstrate that as an organisation you have significant oversight of any challenges that might arise. Any firm equipped with this type of capability would have substantial advantages over those who didn’t.
What does the future hold?
In the near future, real-time data will revolutionise how businesses operate, transforming processes, habits and procedures. For instance, perpetual Know Your Customer (KYC) monitoring will be triggered by changes in customer data and behaviours rather than periodically scheduled reviews. Key developments will likely include:
- A unified customer view, offering a comprehensive, consistent profile of each customer
- AI-driven decision-making and predictive analytics
- Streamlined data collection, ensuring information is only requested once and only when necessary
- Harmonised regulations across regions, with consistent interpretation by all participants
Help is at hand
As the trusted global partner with deep expertise in financial services, we help firms navigate and develop regulatory solutions. We support the strategic modernisation of core systems, guiding the selection, evaluation and integration of commercial off-the-shelf (COTS) software and services. This includes clarifying AI capabilities, managing data integration for customers with emerging data science teams, and providing synthetic data to address privacy concerns. We also assist in implementing new regulatory initiatives and resolving existing compliance challenges.
We take a unique approach to enterprise modernisation, shaped by decades of cross-industry collaboration and customer insights. At its heart is an in-depth analysis of legacy systems, driven by data automation and patented technologies, to deliver a precise, low-risk and cost-effective system transformation. We leverage our customers’ expertise to validate, not generate, findings, ensuring accuracy. This method has consistently reduced risks in major system overhauls, with early integration of automation and AI providing a clear roadmap for deeper AI integration into business operations.
While compliance like DORA has traditionally been seen as a necessity, the right technology can turn it into a competitive advantage, allowing firms to manage risks effectively and capitalise on opportunities in a rapidly changing world.
If you’d like to learn more about DORA take a look at our guide or get to know our AI solution that combines the power of data and multi-agent autonomous teams.