EU DORA Regulation & Operational Resilience Requirements

EU DORA Regulation & Operational Resilience Requirements

21 Min Read

One of the most talked about topics currently in legal, financial services and cyber security circles is on the implementation of DORA, or to give it its formal name the Regulation on digital operational resilience for the financial sector.

As a regulatory framework, DORA includes two legislative initiatives:

  1. Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014, (EU) 909/2014 and (EU) 2016/1011, commonly referred to as DORA, and
  2. Directive (EU) 2022/2556 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector, commonly referred to as the DORA Directive.

DORA entered into force on 16 January 2023 and applies from 17 January 2025.  DORA has at its heart a recognition that financial systems across the EU are part of each country’s critical national infrastructure.  There’s a recognition that many financial services organisations are reliant on a few key services providers and that an incident compromising one of those providers could have a significant effect on financial services across the EU.

DORA has caused a lot of concern in the financial services, technology and cyber security communities, but is it as worrying as it first seems?

What is Operational Resilience?

Operational resilience is the ability of firms and the financial sector to prevent, adapt, respond to, recover from, and learn from operational disruptions. It goes beyond business continuity and disaster recovery and is a strategic priority for regulators across the globe.

Whilst DORA is an EU measure, operational resilience is on the agenda for UK financial firms too.  Operational resilience requirements in the UK were introduced on 31 March 2022 – there’s a bit more on the UK regime below too.

What is DORA?

On 24 September 2020 the European Commission published proposals for DORA. These proposals were part of the Commission’s digital finance package.

DORA is designed to consolidate and upgrade Information Communication Technologies (ICT) risk requirements throughout the EU financial services sector to ensure that a very wide range of participants in the sector are subject to a common set of standards to mitigate ICT risks. 

This includes cyber security risks.  Given its concentration on supply chain resilience however, it will have an impact much wider than financial services.

Specifically, DORA establishes requirements for:

  1. dedicated ICT risk management capabilities
  2. reporting of major ICT-related incidents
  3. digital operational resilience testing
  4. management by financial entities of ICT third-party risk
  5. information sharing among financial entities

In addition, as we have said DORA extends its reach beyond the financial services sector and introduces an EU oversight framework for critical ICT providers such as cloud service providers.

It is important to remember that the main DORA Regulation is binding legislation that is directly applicable in Member States after its entry into force. The DORA Directive will need to be transposed into each Members States’ national law.

What are the Key Dates?

  • 27 December 2022:  DORA and the DORA Directive were published in the Official Journal of the EU.
  • 16 January 2023:  DORA and the DORA Directive entered into force.
  • 17 January 2025:  DORA will apply from 17 January 2025. Member States will also be required to transpose the DORA Directive into national law by the same date.

What is Digital Operational Resilience?

In DORA, ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

Which Financial Services Firms does DORA apply to?

DORA applies to ‘financial entities’.  There is a wide definition of financial entitles in DORA but that will include:

  • credit institutions
  • payment institutions
  • account information service providers
  • electronic money institutions
  • investment firms
  • central securities depositories (CSDs)
  • central counterparties (CCPs)
  • trading venues
  • managers of alternative investment funds
  • management companies
  • data reporting service providers
  • insurance and reinsurance undertakings
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • institutions for occupational retirement provision
  • credit rating agencies
  • crowdfunding service providers, and
  • securitisation repositories

There are some financial providers who are excluded from the scope of DORA including some managers of alternative investment funds and some insurers and reinsurers.  EU Member States can also exclude other entities from the scope of DORA.

What are Critical ICT Service Providers?

ICT service providers may be designated as ‘critical’ for the purposes of DORA on the basis of a set of quantitative and qualitative criteria – there’s more details below.

What is Risk Management?

Internal Governance and Control

Financial entities are required to have in place, under the ultimate responsibility of their management bodies, a comprehensive internal governance and control framework that ensures an effective and prudent management of ICT risk and achieves a high level of digital operational resilience.

Members of the management body are required to actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on operations of the financial entity, commensurate to the ICT risk being managed.

This is likely to require increased involvement of people with ICT risk knowledge on the board and in senior management.  DORA and equivalent legislation elsewhere has already seen a significant recruitment drive as a result.  For example, according to an EY survey in August 2023 61% of US public companies are looking for cyber security skills for their board.

ICT Risk Management Framework

There must be a sound, comprehensive and well-documented ICT risk management framework which enables financial entities to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience and minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools.

There may need to be structural change too – there should be appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.

DORA is also not a ‘one and done’ process – the ICT risk management framework must be documented and reviewed at least once a year (with limited exceptions). 

In addition the framework should be reviewed following every major ICT-related incident, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes.  The framework must be continuously improved on the basis of lessons learned from implementation and monitoring. 

Among other things the framework must include the risk tolerance level for ICT risk and the impact tolerance for ICT-related events, and outline a communications strategy for ICT-related incidents.

ICT Systems, Protocols and Tools

ICT systems, protocols and tools must be appropriate to the level of operations being carried on, reliable, equipped with sufficient data processing capacity, and technologically resilient so as to adequately deal with additional information processing needs under stressed market conditions or other adverse situations.

Identification and Mapping

Financial entities are required to identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.  They must, on a continuous basis, identify all sources of ICT risk and, at least yearly, review the risk scenarios impacting them.

Financial entities must identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and map those considered critical.  In addition, they must identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with ICT third-party service providers. 

Whilst this is not the same process as compiling a record of processing activity (RoPA) under GDPR, financial entities who have already done a RoPA might find that a useful place to start.

Protection and Prevention

Financial entities are required to continuously monitor and control the security and functioning of ICT systems and tools and deploy appropriate ICT security tools, policies and procedures with the aim of ensuring the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and maintaining high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.

This includes implementing policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establishing to that end a set of policies, procedures and controls that address access rights and ensure sound administration of those rights.

Again, those organisations that have made efforts to ensure GDPR compliance will be in good shape.  They should be able to adapt the policies and procedures they already have in place to deal with data breaches under GDPR.

Detection

Financial entities are required to have mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.  This is likely to be a series of technical and organisational measures.  Detection software will be part of this but software alone won’t solve the problem.  Organisations will need to provide the resources to act on alerts, triage the appropriate response and deal with any issues quickly.

Response and Recovery

Financial entities must put in place and implement a comprehensive ICT business continuity policy, and associated ICT response and recovery plans and ICT business continuity plans.

As part of the overall business continuity policy, financial entities must conduct a detailed business impact analysis (BIA) of their exposures to severe business disruptions, taking into account the criticality of identified and mapped business functions, support processes, third-party dependencies and information assets, and their interdependencies. 

ICT assets and ICT services must be designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components.

Financial entities are required to test their ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly.  Rehearsing an incident, for example by conducting a Punter Southall Law Data Breach Academy might help meet these DORA obligations.  Our team has experience of guiding organisations through realistic simulated events which will help meet these new DORA obligations.

Financial entities (again with some exceptions) must have a crisis management plan and there will need to be clear procedures to manage crisis communications.  Again, those organisations who have a data breach plan in place to meet their GDPR requirements, are likely to be able to adapt that plan to meet their DORA obligations.

Backup Policies and Procedures, Restoration and Recovery Procedures and Methods

Financial entities are required to develop and document backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data, and restoration and recovery procedures and methods.

Financial entities, other than microenterprises, must maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs.

We have seen that many ransomware attacks target back up systems too so organisations will need to check that their back up systems are robust and properly defended.  Organisations will need to make sure that they can quickly restore from back up too.

Learning and Evolving

A growing trend has been the obligation on financial services providers to do horizon scanning to look at the threats that they face.  A particularly good example has been the Bank of England’s CBEST program which has been in place since 2014.

Under DORA, financial entities must gather information on vulnerabilities and cyber threats and analyse the impact they might have on their digital operational resilience.  If there is an incident, financial entities will have to have a post-mortem to see the lessons learned.  They will also have to develop security awareness programs and digital operational resilience training. 

Once again having a good GDPR program in place is likely to help here.

Communication

Financial entities must establish crisis communication plans enabling a responsible disclosure of major ICT-related incidents or vulnerabilities to clients and counterparts and the public, and communication policies for internal staff and for external stakeholders.

Again, this will require careful thought.  Often a knee-jerk reaction with communications people unfamiliar with this space is to blame any incident on a nation state.  This might be untrue (or at least hard to prove) and could invalidate an organisation’s insurance coverage.

Reporting of major ICT-related Incidents and Voluntary Notification of Significant Cyber Threats

DORA provides for:

  • reporting of major ICT-related incidents to competent authorities
  • optional notification of significant cyber threats to competent authorities when the threat is deemed to be of relevance to the financial system
  • sharing of information to clients without undue delay following a major ICT-related incident which has an impact on the financial interests of clients
  • sharing information to clients that are potentially affected by a significant cyber threat on any appropriate protection measures which clients may consider taking, and
  • sharing of information by competent authorities with ESMA, EBA, EIOPA, ECP and other authorities

The reporting and notification requirements also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.

Digital Operational Resilience Testing

DORA specifies the assessments, tests, methodologies, practices and tools to be applied in digital operational resilience testing, including advanced testing of ICT tools, systems and processes based on TLPT (threat-led penetration testing which mimic the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat).

ICT Third-Party Risk Management

Financial entities that have in place contractual arrangements for the use of ICT services to run their business operations remain fully responsible for compliance with, and the discharge of, all obligations under DORA and applicable financial services law. DORA specifies the minimum provisions that must be included.

Financial entities must adopt and regularly review a strategy on ICT third-party risk which includes a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. 

They must also maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

A finance entity’s pre-contractual risk assessment must include an assessment of ICT concentration risk.

Exit strategies must be put in place for ICT services supporting critical or important functions, taking into account risks that may emerge at the level of ICT third-party service providers. 

It must be possible to exit contractual arrangements without disruption to business activities, limiting compliance with regulatory requirements or detriment to the continuity and quality of services provided to clients.

Again, this is a difficult area.  We have had a number of recent incidents where ICT third party service providers have experienced difficulties which have had effects across the system. 

For example, in the UK in 2023, Capita suffered an incident which was likely caused by a ransomware gang and included the exfiltration of data from its servers.  Complaints were made by some customers that they were struggling to get information from Capita and regulators became concerned.

On 12 May 2023, the UK Pensions Regulator issued a statement on the Capita incident reminding pension trustees of their responsibilities to secure members’ data. 

Trustees were told to continue communications with Capita and to be prepared to answer questions from pension fund members.  They were also reminded of the need to possibly notify the Pensions Regulator and the Information Commissioner’s Office.  The Pensions Regulator also did not rule out the possibility of further investigations saying “We may engage with you further to understand the steps you have taken and what progress you have made”.

Lead Overseer

There is a formula in DORA for working out which supervisory authority will be the Lead Overseer in each case.  The Lead Overseer for each critical ICT service provider shall be the European Supervisory Authority (ESA) that is responsible for the financial entities having together the largest share of total assets out of the value of total assets of all financial entities using the services of the critical ICT service provider.

The Lead Overseer is required to assess whether the critical ICT service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities, focusing mainly on ICT services supporting the critical or important functions of financial entities, and then to adopt an oversight plan.

The Lead Overseer has power to:

  • request all relevant information and documentation
  • conduct general investigations and inspections
  • make recommendations, and
  • request reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT service providers in relation to the Lead Overseer’s recommendations

National competent authorities (NCAs) are required to inform the relevant financial entities of the risks identified in the Lead Overseer’s recommendations, and financial entities are required to take these risks into account when managing ICT third-party risk.

Will Financial Entities within the Scope of DORA also be Subject to the Requirements of the Proposed EU Cyber Resilience Act?

Possibly.  On 12 March 2024 the European Parliament approved the Cyber Resilience Act (the CRA). This Act aims at ensuring a high level of cybersecurity of hardware and software that is placed on the EU market, as well as setting cybersecurity conditions for users when using the products.

The primary targets of the CRA are manufacturers (including developers) that are placing on the market products with digital elements (PDEs) whose intended or reasonably foreseeable use includes a connection to a device or network. These products are defined rather broadly and include both hardware and software products. In principle, products with digital elements placed on the market by financial services firms would be included.

Will DORA include personal liability?

Yes. Members States will be responsible for establishing the penalties and remedial measures under DORA, which can apply to both natural and legal persons. Additionally, Member States can apply the penalties or remedial measures of a legal entity to members of its management body and other responsible individuals. Member States may also choose to establish criminal penalties for breaches of DORA.

What are the UK Operational Resilience Requirements?

It is important to remember that whilst DORA does not apply to the UK financial services sector (save for those UK entities that are also subject to the EU regime), operational resilience is a key priority for UK regulators too. 

In many respects the UK regime is similar with the following key elements:

  1. identify ‘important business services’ (defined differently in the FCA and PRA rules) that could cause ‘intolerable harm’ if disrupted
  2. set an impact tolerance for ‘severe but plausible’ disruptions to each important business service
  3. carry out a mapping exercise (of people, technology, resources and systems), appropriate to the size, scale and complexity of the firm’s business model
  4. carry out scenario testing, i.e. can the firm stay within their impact tolerances for each important business service in the event of a severe but plausible disruption to operations
  5. consider lessons learnt from testing or after an operational disruption
  6. develop a strategy for internal and external communications to reduce the anticipated harm caused by operational disruptions
  7. undertake self-assessments, which are approved and regularly reviewed by the board

When did the UK Rules Start to Apply?

  • The core FCA and PRA operational resilience rules came into force 31 March 2022.
  • A three-year transition period applies from 31 March 2022 to 31 March 2025 for firms to comply with rules requiring them to remain within impact tolerances for each important business service, including developing more sophisticated mapping processes and testing.
  • The new UK regime applies in full from 31 March 2025.

Are there any examples of UK activity to date?

Yes.  For example, there was an FCA and PRA fine for TSB in December 2022 of £48.65m. 

This related to operational risk management and governance failures including management of outsourcing risks relating to the bank’s IT upgrade program.  Technical failures in TSB’s IT systems resulted in customers being unable to access banking services.  TSB also paid £32.7m in redress to customers.  It received a 30% discount for agreeing a resolution otherwise this would have been a £69.6m penalty.  TSB’s CIO Carlos Abarca was also fined personally.

Financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements.

Next Steps

Clearly, any organisation that is in the DORA regime, or provides services to those that are, will need to consider what it can do to meet its responsibilities under DORA.  Whilst existing risk management and GDPR systems and processes can help this is likely to be a significant project for most and will include:

  1. A gap analysis to focus on the work that needs to be done
  2. Training on operational resilience – this is likely to include the IT team, communications professionals and the compliance function
  3. Making sure that processes and procedures are in place to do horizon scanning and to respond promptly to incidents.  This is likely to include a review and testing of your incident response process
  4. Looking at the board and senior management team’s skills and expertise – in many cases recruitment will be necessary to plug gaps
  5. For financial services organisations:  Working out key dependencies, mapping devices and storage locations etc. and ensuring that compliant contracts are in place with all third party providers
  6. For third party providers:  Working out which key clients are likely to be in the DORA regime and anticipating the assistance they will need to comply
  7. Working out your regulatory regime:  work out who your key regulators will be and how you will meet your obligations to keep them informed
  8. Robust testing of your new processes and the measures you have put in place

For more information, please contact our specialists at Punter Southall Law.

Jonathan Armstrong Lawyer

Jonathan Armstrong

Partner

Jonathan is an experienced lawyer based in London with a concentration on compliance & technology.  He is also a Professor at Fordham Law School teaching a new post-graduate course on international compliance.

Jonathan’s professional practice includes advising multinational companies on risk and compliance across Europe.  Jonathan gives legal and compliance advice to household name corporations on:

  • Prevention (e.g. putting in place policies and procedures);
  • Training (including state of the art video learning); and
  • Cure (such as internal investigations and dealing with regulatory authorities).

Jonathan has handled legal matters in more than 60 countries covering a wide range of compliance issues.  He made one of the first GDPR data breach reports on behalf of a lawyer who had compromised sensitive personal data and he has been particularly active in advising clients on their response to GDPR.  He has conducted a wide range of investigations of various shapes and sizes (some as a result of whistleblowers), worked on data breaches (including major ransomware attacks), a request to appear before a UK Parliamentary enquiry, UK Bribery Act 2010, slavery, ESG & supply chain issues, helped businesses move sales online or enter new markets and managed ethics & compliance code implementation.  Clients include Fortune 250 organisations & household names in manufacturing, technology, healthcare, luxury goods, automotive, construction & financial services.  Jonathan is also regarded as an acknowledged expert in AI and he currently serves on the New York State Bar Association’s AI Task Force looking at the impact of AI on law and regulation.  Jonathan also sits on the Law Society AI Group.

Jonathan is a co-author of LexisNexis’ definitive work on technology law, “Managing Risk: Technology & Communications”.  He is a frequent broadcaster for the BBC and appeared on BBC News 24 as the studio guest on the Walport Review.  He is also a regular contributor to the Everything Compliance & Life with GDPR podcasts.  In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing.  He has spoken at conferences in the US, Japan, Canada, China, Brazil, Singapore, Vietnam, Mexico, the Middle East & across Europe.

Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology and risk and governance matters for more than 25 years.  He is regarded as a leading expert in compliance matters.  Jonathan has been selected as one of the Thomson Reuters stand-out lawyers for 2024 – an honour bestowed on him every year since the survey began.  In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK.  In 2016 Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica.  In 2019 Jonathan was the recipient of a Security Serious Unsung Heroes Award for his work in Information Security.  Jonathan is listed as a Super Lawyer and has been listed in Legal Experts from 2002 to date. 

Jonathan is the former trustee of a children’s music charity and the longstanding Co-Chair of the New York State Bar Association’s Rapid Response Taskforce which has led the response to world events in a number of countries including Afghanistan, France, Pakistan, Poland & Ukraine.

Some of Jonathan’s recent projects (including projects he worked on prior to joining Punter Southall) are:

  • Helping a global healthcare organisation with its data strategy.  The work included data breach similuations and assessments for its global response team.
  • Helping a leading tech hardware, software and services business on its data protection strategy.
  • Leading an AI risk awareness session with one of the world’s largest tech businesses.
  • Looking at AI and connected vehicle related risk with a major vehicle manufacturer.
  • Helping a leading global fashion brand with compliance issues for their European operations.
  • Helping a global energy company on their compliance issues in Europe including dealing with a number of data security issues.
  • Working with one of the world’s largest chemical companies on their data protection program. The work involved managing a global program of audit, risk reduction and training to improve global-privacy, data-protection and data-security compliance.
  • Advising a French multinational on the launch of a new technology offering in 37 countries and coordinating the local advice in each.
  • Advising a well-known retailer on product safety and reputation issues.
  • Advising an international energy company in implementing whistleblower helplines across Europe.
  • Advising a number of Fortune 100 corporations on strategies and programs to comply with the UK Bribery Act 2010.
  • Advising of Financial Services Business on their cyber security strategy.  This included preparing a data breach plan and assistance in connection with a data breach response simulation.
  • Advising a U.S.-based engineering company on its entry into the United Kingdom, including compliance issues across the enterprise. Areas covered in our representation include structure, health and safety, employment, immigration and contract templates.
  • Assisting an industry body on submissions to the European Commission (the executive function of the EU) and UK government on next-generation technology laws. Jonathan’s submissions included detailed analysis of existing law and proposals on data privacy, cookies, behavioural advertising, information security, cloud computing, e-commerce, distance selling and social media.
  • Helping a leading pharmaceutical company formulate its social media strategy.
  • Served as counsel to a UK listed retailer and fashion group, in its acquisition of one of the world’s leading lingerie retailers.
  • Advising a leading U.S. retailer on its proposed entry into Europe, including advice on likely issues in eight countries.
  • Working with a leading UK retailer on its proposed expansion into the United States, including advice on online selling, advertising strategy and marketing.
  • Dealing with data export issues with respect to ediscovery in ongoing court and arbitration proceedings.
  • Advising a dual-listed entity on an FCPA investigation in Europe.
  • Acting for a U.S.-listed pharmaceutical company in connection with a fraud investigation of its Europe subsidiaries.
  • Acting for a well-known sporting-goods manufacturer on setting up its mobile commerce offerings in Europe.
  • Comprehensive data protection/privacy projects for a number of significant U.S. corporations, including advice on Safe Harbor Privacy Shield and DPF.
  • Risk analysis for an innovative software application.
  • Assisting a major U.S. corporation on its response to one of the first reported data breaches.
  • Work on the launch of an innovative new online game for an established board game manufacturer in more than 15 countries.
  • Advice on the setting up of Peoplesoft and other online HR programs in Europe, including data protection and Works Council issues.
  • Advising a leading fashion retailer in its blogging strategy.
  • Advising one of the world’s largest media companies on its data-retention strategy.
  • Advising a multinational software company on the marketing, development and positioning of its products in Europe.

Lilian Small Lawyer

Lilian Small

Partner

Lilian specialises in advising clients in financial services on a wide range of issues including assisting with internal and FCA enforcement investigations, the implementation of regulatory change projects such as the Consumer Duty, managing remediation programmes, advising on compliance with the Conduct Rules and SM&CR requirements, FCA notification obligations and responding to supervisory enquires. Lilian acts for a broad range of clients from individuals and whistleblowers to financial institutions including retail banks, asset managers, brokers, commodity trading houses and alternative investment managers.

Lilian has previously held senior roles at the FCA, in-house at a global investment bank where she was responsible for managing a number of high-profile regulatory enforcement and internal investigations across the EMEA region and was Of Counsel at Simmons & Simmons.

Lilian is a member of the Executive Committee of the Financial Services Lawyers Association and Chair of the Equality, Diversity and Inclusion Committee.

Advisory practice

Lilian advises on a range of regulatory compliance issues including AML and financial crime systems and controls, competition, corporate governance, conduct risk issues, remuneration rules and supervisory processes including skilled person reviews, remediation programmes, regulatory notifications and perimeter advice (whether activities fall within the FCA’s regulatory perimeter). Lilian also advises firms and individuals on how to navigate data protection issues including bringing and/or responding to a Data Subject Access request and how to mitigate the risks of data breaches.

Recent matters include:

  • supporting a retail bank on the implementation of the Consumer Duty with a specific focus on the “Consumer Understanding” requirements (including the review of key customer communications and assessing the needs of vulnerable ecostumers);
  • advising an FCA regulated stockbroker on the implementation of a business winddown programme and the protection of client assets;
  • designing and delivering a bespoke Conduct Rules training programme to the board of a global asset manager and conducting a virtual roll out to certified employees;
  • advising a non-FCA regulated firm on investor KYC requirements and financial promotions in response to enquiries made by the FCA’s Financial Promotions team;
  • advising on remuneration policies and procedures for an alternative investment manager including the implementation of long-term incentive plans, deferral requirements and malus and clawback polices;
  • advising a global investor consortium impacted by the failure of a student property development including advising on the creation of a compliant Unregulated Collective Investment Scheme and financial promotions requirements;
  • advising an investment platform on enhancements to AML and KYC policies and procedures required to assess potential clients from high-risk jurisdictions; and
  • advising on various FCA applications: including firm authorisation, Change of Control and applications for Senior Management Functions.

Contentious regulatory practice

Lilian advises on a range of contentious regulatory issues including how to manage contentious regulatory enquires and early intervention mechanisms (including section 165 FSMA information requirements, skilled person reviews, solvency issues and VREQs), conducting and advising on internal investigations, whistleblowing issues and defending regulatory enforcement investigations. Lilian advises on fitness and propriety issues and the assessment of conduct rule breaches, regulatory notification obligations and regulatory references. Lilian also assists clients with other professional discipline matters including investigations by the SRA, ICAEW and the Insolvency Service.

Recent matters include:

  • advising a global asset manager in respect of an internal investigation of misconduct by a junior member of back-office staff including an  assessment of fitness and propriety, regulatory notifications and disciplinary sanctions;   
  • acting for a whistleblower portfolio manager in raising concerns about fund mandate breaches in respect of a UCITS fund;    
  • acting for an investment banker in respect of an internal investigation, regulatory enforcement investigation and satellite litigation;   
  • acting for a FCA regulated investment manager and former General Partner of a fund resulting from a dispute between the founding partners;
  • acting for a Compliance Officer and Director of an FCA regulated stockbroker in respect of a regulatory enforcement investigation and proposed action by the Insolvency Service;  
  • conducting an internal investigation for an FCA regulated investment manager concerning fraud allegations against a founding partner;
  • advising on suitability issues and financial advice complaints including DB pension transfers; and
  • advising a mortgage broker on recruitment policies and regulatory references in light of lender decision to remove the broker from the lending panel.  

Client Testimonials

“Ever since our first conversation Lillian has always been very clear, calm and above all practical. Were it not for Lillian I would not have been able to continue working as the legal issues would have overwhelmed me. I am extremely grateful for all her help and recommend her unreservedly”.Portfolio Manager, Investment Manager

“I’ve worked with Lilian for almost 10 years and am consistently impressed with her. Lilian is super responsive, friendly, professional and highly knowledgeable within the FS sector. Lilian can take extremely complex legal matters and break it down into lay terms, which can then be easily understood and digested within the business. I’ve dealt with numerous alternative attorneys in the past and they do not compare to the service level provided by Lilian.”Head of Human Resources, Alternative Asset Manager

“Lilian is a highly skilled regulatory lawyer who has excellent client relationship skills and has a pragmatic and commercial approach to issues. Having been instructed on short notice to assist on an ongoing project she impressed the whole team with her approach and input. Her support was invaluable”.Head of Regulatory Legal, Retail Bank

“I am incredibly grateful for the outstanding and always fast service provided by Lilian. Her unparalleled knowledge, practical approach and unwavering dedication have been instrumental in navigating complex regulatory matters with ease. I wholeheartedly recommend her to anyone seeking top-tier legal counsel in the UK financial services industry”.Founder, Alternative Investment Fund

“I have had the opportunity to work with Lilian for a number of years. Her insights and guidance are always well balanced, she is extremely responsive, highly knowledgeable and most importantly a pleasure to partner and work with.”Head of Human Resources EMEA, Global Asset Manager


John Grayston European Law Lawyer

John Grayston

Consultant

John Grayston is an experienced lawyer specialising in European law with a specific reputation and practice in the areas of European trade and customs law including export control and sanctions. 

John represents and advises clients on trade and customs compliance across Europe as well as representing clients in court proceedings before national courts and the European Courts of Justice.

Based in Brussels, John qualified as a solicitor but also practices as a Belgian avocat.

John serves as Honorary European Legal Counsel to the International Compliance Professionals Association (ICPA).


Related Insights

Insights

European Financial Review: Jonathan Armstrong on the implications of the EU AI Act

Jonathan Armstrong, Partner in our Compliance Department, recently contributed an article to The European Financial Review, a trusted source for essential market insights and strategies, discussing the EU Artificial Intelligence...

5 Min Read

Read More European Financial Review: Jonathan Armstrong on the implications of the EU AI Act