For the financial sector compliance with The Digital Operational Resilience Act (DORA) demands hard manual work which GenAI can make easier, says Marco Filtzinger, lead consultant for Cyber and Information Security at Sopra Steria Next Germany.
The Digital Operational Resilience Act (DORA) requires banks, fintechs and other financial service providers to meet high cybersecurity and operational resilience requirements. The Act requires comprehensive protection, monitoring and review of all IT systems and procedures that support important business processes in order to strengthen the resilience of individual companies and the European financial system against ICT (information and communications technology) disruptions and cyberattacks. Risks arising from the use of third-party service providers must always be taken into account.
Bank compliance: a reading circle for regulations
DORA and the associated regulatory and implementing technical standards (RTS and ITS) mean that experts have to extract the individual cyber and information security requirements from large volumes of complex texts, analyse and compare them with existing internal regulations and processes and plan measures to implement regulations that are not yet covered.
Even without the associated legal acts, DORA already contains more than 300 specific individual requirements, almost two-thirds of which are relevant to cyber security and operational resilience. This work is time-consuming and requires a high level of expertise. The comparison of external requirements with the internal rules and regulations and the determination of the degree of compliance must be carried out manually by experts from the compliance team.
It becomes particularly challenging when compliance teams have to comply with both national and international regulations. In this case, globally active financial companies must take into account country-specific cybersecurity and resilience requirements in their branches worldwide in addition to the DORA - which often means that regulations have to be analysed and interpreted in different national languages. This also applies to EU directives to be transposed into national law, which the individual member states are obliged to do - which is then often only done in the respective national language. Generative artificial intelligence (GenAI) can also help here.
GenAI as an efficiency booster for compliance in the financial sector
With the help of GenAI, many steps in establishing compliance with relevant regulatory and supervisory requirements can be fully or partially automated. For example, large volumes of texts in different languages can be automatically checked and searched for relevance in the shortest possible time and information relevant to cyber and information security can be extracted from them.
Increased efficiency through automated target/actual comparison
One of the most time-consuming tasks for compliance teams is the target/actual comparison (gap analysis), which determines the extent to which the internal guidelines already comply with the new or amended regulatory requirements. This manual comparison can take weeks for complex requirements such as DORA.
GenAI saves an enormous amount of time here by automatically mapping the external requirements with the internal regulations, evaluating the degree of coverage and making recommendations for action to take into account missing requirements. This process step is completed in minutes or hours with the help of GenAI compared to manual processing, which often ties up top experts for weeks.
What remains is the manual task of verifying and ensuring the quality of the results generated by AI. This increase in efficiency of up to 90% gives management rapid transparency about the compliance status in relation to an external requirement and the resulting need for action, allowing them to make targeted decisions and initiate measures.
Centralisation of the compliance function: GenAI as an advantage for globally active banks
The use of GenAI is particularly valuable for internationally active banks, as the technology can easily analyse documents written in different languages. In this way, compliance work for different countries can be centralised and coordinated. For example, a compliance team in Germany could carry out an AI-supported preliminary analysis for DORA, while the regional teams in other countries carry out quality assurance and fine-tuning. This not only makes the compliance process centrally controllable, but also more efficient and cost-effective.
Time for the essentials: Focus on strategic compliance tasks
By using GenAI, compliance experts have more time for governance tasks, such as monitoring compliance with regulations and maintaining and developing the internal rules and regulations. AI can take over the “reading work” and relieve compliance experts so that they can concentrate on the essentials: ensuring robust and secure business operations.
GenAI as a trailblazer for a modern compliance organisation
In summary, GenAI can revolutionise compliance work in banks and fintechs. Increased efficiency through automated multilingual text analysis and fast target/actual comparisons make it possible to implement legal requirements such as DORA not only faster, but also in a more controlled and accurate manner.
However, the smooth use of AI requires clear governance and well-thought-out processes in order to make full use of the technology and minimise risks. It makes sense to use AI as a supporting tool and booster in a well thought-out and mature compliance process.
The successful integration of GenAI into compliance opens up new opportunities for banks to position themselves in a future-oriented and resilient manner in the digital age. DORA is an important milestone on the way to a secure and resilient financial sector - and GenAI is key to the efficient implementation of the DORA requirements.