Rupert Bull is the Co-Founder and CEO of The Disruption House
By 2025, we see how disruption has become the norm. To adapt, fintech leaders must put resilience at the heart of their strategies.
While UK-based fintechs currently face fewer looming financial penalties for non-compliance with stringent regulations like DORA, they should not overlook the UK’s operational resilience framework that will soon come into play. While only the largest fintech firms will be directly regulated under DORA and the upcoming framework, many will still need to meet those standards in order to continue selling their products and services to financial institutions. As a result, fintech leaders must look to these regulations as an opportunity for continued growth, rather than a compliance burden to shoulder.
The UK’s take on DORA
The Digital Operational Resilience Act (DORA) is the acronym on everyone’s lips in financial services. As we know, this piece of regulation is designed to boost IT security and resilience for banks, insurance companies, investment firms, and other financial entities that came into force at the start of 2025. It is designed to ensure the financial sector can withstand major operational disruptions, and standardise the approach to resilience. While DORA applies to firms with operations in the EU, UK regulators followed suit in introducing its own, slightly more flexible guidelines – ensuring alignment with EU standards whilst tailoring the approach to its own regulatory landscape.
The framework, known as PS21/3: Building operational resilience, was introduced by the FCA, PRA, and Bank of England as a guideline for financial institutions to build a similar level operational resilience. Much like DORA, the framework calls to financial institutions to better manage Information and Communication Technology (ICT) – including that of suppliers. As fintechs would fall into this supplier category, this means the risk of fines in the case of failure lies with the institution rather than the technology provider. This also means fintechs must not be the weak link in the larger chain of resilience in financial services. So, what should be done?
The guidelines outline how senior management must identify which critical services could affect core operations if disrupted, and assess their ability to continue running those services within impact tolerances during any incidents. It also implores firms to regularly test their capacity to sustain their services on an ongoing basis. Any vulnerabilities that could prevent staying within impact tolerances must also be identified and addressed accordingly.
The compliance deadline for the framework is the 31st of March 2025, but unlike DORA, non-compliance is unlikely to result in immediate, severe penalties. Whilst this financial threat of sanctions has not yet been introduced, the enforcement of DORA suggests it is a wise business decision to embed resilience into your business processes sooner rather later. Taking on a gradual adoption in advance of the deadline helps firms to become compliant without having to disrupt their processes, uproot existing systems, or mitigate the risk of potential fines for their clients.
Compliance as an opportunity not a burden
It’s easy to see additional regulations as a compliance burden. But such a view is short-sighted – especially for fintechs. The introduction of this framework presents an opportunity to futureproof your organisation and stay ahead in line with client needs in a competitive, disruptive industry.
One of the most immediate and obvious benefits of early compliance is avoiding potential fines for clients and partners. But avoiding fines is just the tip of the iceberg – early compliance can pave the way to a multitude of potential growth opportunities.
By complying with DORA early, UK fintechs can demonstrate their creditworthiness and establish trust with large international players that are mandated to adhere to the DORA regulation – including clients, partners, investors, and suppliers. Pre-emptively aligning with these guidelines could also position fintech firms as leaders of the charge in the UK, enhancing their reputation, improving access to funding, and strengthening relationships with all stakeholders.
Additionally, displaying readiness to comply highlights a commitment to sustainable growth, bolstering an organisation’s reputation, and building a competitive advantage in a highly saturated market.
However, the reverse of this can pose some risks. Being found non-aligned with the enhanced due diligence requirements of DORA can result in a slowdown, if not a complete stop, in sales for fintech firms. After all, no financial institution would willingly and knowingly take on a supplier that would put them in risk of a major fine or reputational harm.
Getting started on your journey to operational resilience
Knowing where to start your journey to align to these new guidelines can be challenging, and it may seem easier for firms to avoid the framework altogether since compliance isn’t mandatory – yet.
But this would be short-sighted thinking. Early compliance provides a key competitive advantage for our highly regulated industry, and goes a long way in appealing and reassuring clients, partners and investors. This is where advisors like The Disruption House come into play by conducting a thorough gap analysis to identify quick, achievable improvements to ensure full DORA compliance.
