cuEngage Live saw 150+ members of the Credit Union industry come together to discuss Unlocking the Next Generation Credit Union.
There’s no getting away from the fact that the regulatory demands on Credit Unions, particularly over the last 18-24 months, have been significant which can make the ability to comply in full, quite challenging.
However, it’s important to emphasise that the success and scalability of Credit Unions is underpinned by compliance and regulation; and not to be constrained by it.
And that’s exactly what we discussed at cuEngage Live in the breakout session “Staying Ahead of the Curve; Powering success through D.O.R.A and SEPA Instant Payments”.
Operational Resilience
The ability to demonstrate Operational Resilience against the Central Bank of Ireland (CBI) Guidance that was published in 2021 could be considered as a driver for a more direct supervisory focus on the Credit Union sector, aligning closer with the expectations the regulator has on larger Irish PSPs.
Guidance, however, leads to interpretation, and a need for standards what would be appropriate and acceptable in how firms could demonstrate how prepared and mature they would be, in the face of an operational disruption.
The Wellington IT position was to bring together an internal Special Interest Group (SIG), with a specific technical skillset to represent the wider User Group, to get the value a Credit Union would need from an Operational Resilience Framework. This approach involved breaking down critical operational workflows and key dependencies within the organisation, with the purpose of shining a light on key components that ensure security and continuity of service for Credit Unions and in turn, the members.
Fundamentally it was about mapping out those workflows, and pinpointing the architecture and dependencies that support those services Wellington IT provides to the User Group. That perspective focuses on the strong control framework already in place, as well as highlighting where targeted continuity of service testing could be undertaken. Thus providing assurance to Credit Union Boards and ensuring the Credit Union member can continually avail of all services that they rely on their Credit Union for.
Risk Identification
Risk identification is key to any successful Operational Resilience Framework, and in addressing the x3 CBI Pillars directly. Risks will exist, but it is the layers of control around them that provides the much-needed assurance. They may come in the form of IT asset failures, physical infrastructure, third party dependencies, personnel risks etc.. and they’re evolving, so must we.
Cyber risk is one that has become increasingly mainstream and a risk that mandates greater attention. Supervisory bodies have been tracking this closely and proposed an extension of the existing Operational Resilience Framework that we now live by, to include digital and cyber risk elements in greater focus as part of the Digital Operational Resilience Act (D.O.R.A).
D.O.R.A (Digital Operational Resilience Act)
While a reference to D.O.R.A might seem daunting as another incoming regulation, it is crucial to view its provisions as best practices that enhance a solid Operational Resilience Framework. Implementing the key components of D.O.R.A strengthens the overall resilience against cyber threats.
Currently, Credit Unions remain exempt from D.O.R.A, but this could change. Other Irish PSPs, like major retail banks, must fully comply by January 17, 2025.
It was interesting to discover that 73% of the cuEngage Live audience see D.O.R.A as a positive concept for the Credit Union industry, despite the challenges faced in meeting the baseline requirements.
Wellington IT's approach to D.O.R.A
The good news is, that at Wellington IT, we are already in a strong position with the embedded Operational Resilience Framework to meet the extended requirements, which encompasses elements of D.O.R.A as best practice dictates.
It would be timely to start recognising the value of it and to start thinking about potential changes now, despite the stretch it may appear to be in complying.
One proposal is to standardise the approach, such as having a unified set of policies, procedures, and best practices across the User Group.
Another option is to integrate specific D.O.R.A metrics on incident reporting and trend analysis into the dedicated Operational Resilience SharePoint site, leveraging information sharing across the IT and financial services sectors – giving all sites a reference point of key content and metrics.
As we move into the second half of the year, it’s crucial that we start considering some of these options.
Even if the exemption for Credit Unions remains for now, it may be lifted in the future, given the CBI’s focus on Credit Unions’ ability to demonstrate resilience. This strategy is very much evident considering the CBI’s ICT Thematic Review which has brought a number of Irish Credit Unions into scope. The need to demonstrate a robust, secure and suitably governed environment is not going away, especially when we reflect on the wide range of digital services now offered by Credit Unions to their members.
SEPA Instant Payments
Operational Resilience and D.O.R.A have an even more significant place when it comes to the introduction of SEPA Instant Payments in 2025.
Instant Payments have been standard in the UK for 16 years, and when introduced in Ireland next year, Credit Union members will have the ability to send and receive credit transfers within 10 seconds. The European Commission has mandated this shift, moving away from Irish consumers only being offered the traditional batch payment method (SEPA Classic). Wellington IT’s Digital Platforms, cuOnline+ and cuMobile will offer this capability.
Key initiatives of SEPA Instant Payments
Instantaneous
Instant sending and receiving of payments
Availability
Round-the-clock availability
VoP
Verification of Payee (VoP) for new payees
Batch & Instant
Offering both batch and instant payments (batch still used for specific settlements)
Transaction Monitoring
More frequent and granular transaction monitoring
Limits
€100k transaction limit, with PSPs possibly setting their own limits (this will require Credit Union engagement)
Potential Risks of SEPA Instant Payments
This initiative will transform the Irish market and member banking behaviour, providing exciting opportunities. Currently, only Revolut offers this service, presenting a significant opportunity for other PSPs, including Credit Unions.
While immediate fund transfers offer clear benefits, there are risks, such as Authorised Push Payment (APP) fraud, where funds sent for goods or services are never received, often linked to fraudulent invoices or re-direction scams. To address this, it’s crucial to retrieve funds swiftly if sent to the wrong recipient.
Enhanced awareness and education for members are going to be vital in combatting APP fraud. Despite measures like Confirmation of Payee (CoP) in the UK, APP fraud remains a significant issue. Know Your Customer (KYC) requirements also take on increasing importance for all involved.
Exciting opportunities lie ahead for members with SEPA Instant Payments
SEPA Instant is the missing puzzle piece to true “lights-out lending” – whereby your members could apply for a loan and have it auto-paid into their account in a matter of minutes! It’s crucial you start laying the foundation for these possibilities now, by checking out tools such as Automated Decisions and Open Banking.
However, what’s most important is investing in awareness campaigns and maintaining a resilient, scalable, efficient, and routinely tested data centre environment; all essential for successful service delivery!
Conclusion
While complying with the existing Operational Resilience requirements, then adding in D.O.R.A – the challenges are quite evident but these evolving regulations offer valuable insights into how to bolster your environment and shield against cyber threats.
Bring SEPA Instant Payments into the equation and the need to meet these requirements becomes even more relevant. The digital space is evolving at pace, and so the need to keep ahead of threat types to meet consumer demand is something we are keen to continually work collaboratively to support.
Learn more