As the deadline for compliance with the European Union’s (EU) Digital Operational Resilience Act (DORA) approaches, financial services firms—and particularly those deploying anti-money laundering (AML) and transaction monitoring solutions—are feeling the pressure. With the legislation having come into effect in January 2023 and the compliance deadline fast approaching on January 17, 2025, it’s crucial for these solutions to align with DORA’s strict requirements. Time is running out, and it’s not just about ensuring contracts with information and communications technology (ICT) providers are in order—compliance extends to ensuring that key systems like AML and transaction monitoring tools adhere to the standards set by DORA.
DORA’s main objective is to strengthen firms’ operational resilience and cybersecurity, reducing vulnerabilities to ICT disruptions. This applies to a broad range of firms in the EU, including credit institutions, payment institutions, insurers, and investment firms, all of which depend on reliable ICT systems to maintain operational integrity. AML and transaction monitoring solutions are particularly critical here, as they help detect suspicious activities, safeguard financial systems, and ensure compliance with global financial regulations. As financial institutions rely on these systems to manage compliance and risk, ensuring DORA compliance in these systems is of paramount importance.
Table of Contents
Understanding DORA’s Role in Financial Services and AML Compliance
DORA is designed to create a unified framework to mitigate the risks that arise from financial institutions’ growing reliance on digital services and third-party ICT suppliers. The digital transformation within financial services increases vulnerabilities, particularly in essential functions such as AML and transaction monitoring systems. These systems rely on continuous access to secure, real-time data and operations, making them prime targets for disruption.
For AML and transaction monitoring solutions, which are vital for detecting suspicious activity and adhering to regulatory requirements, DORA compliance ensures that these systems remain operational even during ICT disruptions. DORA mandates that firms’ ICT infrastructures—such as the systems supporting AML and transaction monitoring—are resilient, secure, and capable of continuing to operate under stress. Moreover, compliance with DORA will help firms maintain control over critical functions, including those related to financial crime prevention, which are essential for mitigating regulatory, reputational, and financial risks.
DORA and Third-Party Risk Management in AML Systems
A significant aspect of DORA’s regulations is its focus on third-party risk management, which has direct implications for AML and transaction monitoring solutions. DORA requires that all contracts with ICT providers include specific provisions that safeguard against ICT disruptions, which could impact these essential systems. As financial institutions depend heavily on third-party technology providers for their AML and transaction monitoring solutions, DORA mandates that firms have robust mechanisms in place to ensure these suppliers are also compliant with its requirements.
DORA’s third-party risk management provisions ensure that critical services, such as those related to transaction monitoring and AML functions, are resilient and protected from external risks. These services must be clearly defined within contracts, with specified service level agreements (SLAs) and clear obligations for data processing, incident management, and security standards. In the context of AML and transaction monitoring solutions, these provisions are critical for ensuring that systems continue to monitor and analyze transactions for signs of fraud, money laundering, or other illicit activities, even in the event of disruptions.
The Challenges of Achieving Compliance for AML and Transaction Monitoring Systems
With the clock ticking toward the January 2025 deadline, firms that rely on AML and transaction monitoring solutions face a unique set of challenges in achieving DORA compliance. Many firms are still in the process of categorizing their ICT services and identifying which ones support critical functions like AML detection and transaction monitoring. In addition, locating and remediating existing contracts with suppliers of these systems presents another hurdle.
Given the importance of AML and transaction monitoring systems in the financial crime prevention landscape, these systems must meet the same standards as other critical functions under DORA. Compliance will require ensuring that service contracts with ICT providers include provisions for system resilience, data security, and incident management. Firms must also ensure that their AML and transaction monitoring solutions can continue to operate without disruption, even if one of their ICT suppliers faces issues.
The Core Requirements of DORA’s Contractual Provisions for AML Systems
DORA’s contractual provisions focus on ensuring firms have the necessary safeguards in place to maintain operational continuity for all critical functions, including those supported by AML and transaction monitoring systems. These contracts must contain clear descriptions of the ICT services provided, as well as detailed SLAs, which outline performance expectations and the actions to be taken if services fail. For AML and transaction monitoring solutions, these provisions ensure that such systems can continue operating even during periods of disruption.
DORA also mandates that contracts include obligations related to data access, such as the firm’s right to access transaction data and system logs if a supplier becomes insolvent. This is especially relevant for AML and transaction monitoring systems, which rely on continuous access to data in order to detect and report suspicious activities. Additionally, DORA requires ICT providers to assist firms in the event of an ICT incident and cooperate with regulators, ensuring that AML systems can operate in full compliance during such times.
For contracts involving ICT services that support CIFs (critical or important functions), which include AML and transaction monitoring systems, DORA introduces even more stringent requirements. These include provisions regarding subcontracting, detailed service levels, business contingency plans, and audit rights—critical to ensuring that these systems are always ready to identify and report financial crime.
The Subcontracting RTS: An Additional Layer of Complexity for AML Systems
A particularly challenging aspect of DORA compliance for firms using AML and transaction monitoring solutions is the regulation’s focus on subcontracting arrangements. As many ICT providers subcontract portions of their services, firms must ensure they have full visibility into these subcontracting chains, especially for services supporting CIFs.
Under DORA’s Subcontracting RTS, firms must ensure they have control over the entire subcontracting chain, especially when it comes to services that support essential functions like AML and transaction monitoring. Subcontractors may be responsible for critical components of AML systems, such as data processing and transaction analysis, and their failure could result in gaps in monitoring and compliance. Therefore, DORA requires that firms not only identify and manage subcontracting arrangements but also assess and mitigate any risks arising from these relationships.
Applying the Subcontracting RTS to AML Systems
Firms need to assess various factors when evaluating subcontractors for AML systems, including the subcontractor’s risk profile, location, and their role in the system’s overall function. They must also ensure that subcontractors are capable of providing the necessary resources to meet the performance expectations of DORA, including security standards and audit access. Since financial institutions rely on subcontractors for parts of their AML and transaction monitoring systems, ensuring compliance with DORA’s subcontracting provisions is critical to maintaining uninterrupted monitoring and reporting.
Due Diligence for AML and Transaction Monitoring Providers
The due diligence process for AML and transaction monitoring solution providers is another significant aspect of DORA compliance. Firms must conduct thorough checks before allowing a supplier to subcontract any part of the services supporting AML functions. This includes verifying the subcontractor’s ability to meet the required performance levels, as well as their ability to maintain security and provide audit access as mandated by DORA.
How to Approach Contractual Compliance and Remediation for AML Systems
Firms deploying AML and transaction monitoring solutions must adopt a systematic approach to contract remediation to ensure DORA compliance. The complexity of the regulatory landscape and the importance of AML compliance mean that these systems must meet DORA’s stringent requirements for resilience and security.
Whether adopting a blanket, tailored, or hybrid approach, firms should prioritize remediation efforts for contracts that involve AML and transaction monitoring services. Steps include drafting amendment templates for these contracts, carrying out a gap analysis to identify compliance shortfalls, and negotiating the necessary amendments with suppliers.
Recommended Steps for DORA Contract Remediation for AML Systems
A DORA contractual-compliance and remediation program for AML systems should include:
- Drafting template clauses to address DORA requirements for ICT contracts supporting AML and transaction monitoring.
- Conducting a gap analysis to identify non-compliant contracts and develop a prioritization strategy.
- Developing remediation playbooks and outreach strategies for negotiating amendments with suppliers.
- Ensuring all contractual amendments are completed and recorded in the DORA register for all ICT contracts.
Conclusion – Time to Act is Now for AML and Transaction Monitoring Solutions
As the deadline for DORA compliance approaches, financial institutions cannot afford to delay remediation efforts for their AML and transaction monitoring systems. These critical systems must comply with DORA’s stringent requirements to ensure they remain resilient and capable of detecting and reporting suspicious activities even during disruptions. Firms should act now to prioritize compliance, mitigate risks, and ensure operational continuity in their AML and transaction monitoring systems.
Related Links
- DORA Overview on EU Website
- PwC Guide to DORA Compliance
- European Banking Authority on ICT Risks
- The Role of Subcontracting in DORA
- How to Manage Third-Party Risk
Other FinCrime Central Articles about DORA
- DORA’s Difficult Mandate: Overcoming the Challenges of Cloud-Dependent AML Solutions for ICTs
- Achieving DORA Compliance: A Guide to Meeting the 2025 Deadline
- Germany’s BaFin says senior bank staff should have better IT knowledge under new DORA rules
- Choosing the Best AML Solution: On-Premise, Private Cloud, or SaaS?
Source: The International Banker
