Why We Were Asked to Show 110+ Financial Institutions How AI Can Help with DORA

When UK Finance invited us to present to their Third Party & Outsourcing Committee last week, we knew it was a big deal. Not just because they represent nearly 300 of the UK's leading financial institutions, but because it validated something we've believed for a while: legal professionals need better tools to help their clients prepare for DORA.

Let's back up a bit. DORA (the Digital Operational Resilience Act) comes into effect in January 2025, and it's set to reshape how financial institutions manage their digital operations. Think GDPR, but for operational resilience. Even if you're not based in the EU, this is likely to become the global standard that everyone follows.

During our presentation to UK Finance's members, we showed how generative AI can transform DORA compliance from a headache into a structured, manageable process. This isn’t a process where “AI gives you an answer”, but instead, an approach to break down complex regulatory requirements into workflows, leading to more accurate and trustworthy compliance assessments.

The “traditional” approach to checking DORA compliance might involve giving ChatGPT details of the DORA regulation to then cross-reference with a contract and highlight any issues. Sure, that's better than manually reviewing everything, but would you trust it enough to bet your compliance on it? Probably not. That's why we've developed a different approach - one that combines the power of AI with structured workflows and human oversight.

Useful results from an AI chatbot, but… would you trust them?

What really caught the attention of the UK Finance members was how this approach could work in practice. Rather than just getting a yes/no answer on compliance, our system pulls out relevant sections from contracts, explains its reasoning, and suggests specific improvements. All while maintaining that crucial human oversight that's essential for regulatory compliance.

As Adam Avards from UK Finance noted during the session, this fills a gap in the current marketplace. Law firms are perfectly positioned to help their clients prepare for DORA, but they need the right tools to do so effectively. The complexity of the regulation, combined with significant penalties for non-compliance, means that traditional legal advice needs to be supported by technology that can systematically assess and verify compliance across operations.

Insert firm-specific guidance as part of your DORA playbook

Verify directly where/ how AI review has undertaken the analysis

Chatbots give an overly simplistic answer

Analysis is much more nuanced, transparent and verifiable using WorkflowGPT's DORA Compliance Checker

The reaction from the attendees was telling. While everyone understands DORA is coming, there's still uncertainty about how to efficiently verify compliance across complex operations. Law firms are increasingly being asked by their financial sector clients for help with this challenge, and they need solutions that go beyond traditional legal advice while maintaining the accuracy and trustworthiness their clients expect.

We're excited to be leading the charge to DORA readiness, applying all we know about legal tech to tackle a landmark regulatory milestone in 2025.  If you're a law firm looking to enhance your DORA compliance offering, or you're just interested in learning more about how AI can support regulatory compliance, we'd love to chat.

After all, whilst some level of DORA compliance may have been done already, the risk of non-compliance likely warrants another review.

See more info here: https://www.workflowgpt.ai/dora-compliance-checker 

Other DORA angles

The Hidden Infrastructure Problem: What happens when ‘too big to fail’ meets ‘too complex to understand?

• Exploring how DORA reveals a deeper truth about our financial system: we've built incredibly sophisticated financial products on potentially fragile digital foundations
• Compare to how civil engineers regularly assess physical infrastructure - but digital infrastructure often lacks similar rigorous assessment

When Algorithms Meet Auditors

• The emerging challenge of auditing AI systems for operational resilience
• How do you prove an AI system is "resilient"?
• The philosophical question of whether more complex systems (AI) should be used to monitor complex systems (financial operations)

Is GDPR for Data What DORA Will Be for Operations?

• Analysis of how DORA could become the de facto global standard for operational resilience
• Not just financial institutions but tech companies serving them will need to adapt
• Could create a "DORA effect" similar to how GDPR influenced global privacy practices
• Interesting angle: will non-EU countries develop their own versions, like UK's GDPR

The Hidden Infrastructure Problem: DORA Exposes Digital Foundations of Finance

Targets: Risk.net, Global Risk Regulator, Fintech Times

As the financial sector has evolved, we've built increasingly sophisticated products and services on digital infrastructure that few fully understand. While civil engineers regularly assess bridges and buildings against strict safety standards, the digital foundations of our financial system often lack similar rigorous oversight. DORA's introduction may look like another compliance exercise but in reality, it’s recognition that our financial stability depends as much on lines of code as it does on lines of credit. 

This regulation forces us to confront an uncomfortable truth: we've created financial products of unprecedented complexity while potentially overlooking the resilience of the technology they're built upon. As financial institutions prepare for DORA compliance, they're discovering just how intertwined and potentially fragile their digital infrastructure has become.

Key considerations:

• The financial sector's increasing complexity isn't just in financial products, but in the technology stack supporting them. A single trade now touches dozens of systems, creating a web of interdependencies that's harder to map than traditional financial risks
• There's a growing disconnect between the sophistication of financial risk models and the relative simplicity of digital infrastructure assessment. We can model complex market scenarios but often can't predict basic IT failures
• The "too big to fail" has become “too complex to understand”.  It's no longer just about financial interconnectedness, but technological interdependence
• Traditional stress testing focuses on financial scenarios, but technological stress testing remains underdeveloped. DORA forces institutions to consider both

GDPR for Operations: Why DORA Will Reshape Global Digital Finance

Targets: Risk.net, EMEA Banking and Finance Magazine, International Financial Law Review

Just as GDPR became the de facto global standard for data protection, DORA is poised to become the benchmark for operational resilience in digital finance. Even organisations with minimal EU presence are likely to align with DORA's requirements, recognising that it's easier to operate under a single, comprehensive framework than maintain different standards for different regions. This "Brussels Effect" could see DORA's influence extend far beyond its intended jurisdiction, potentially reshaping how financial institutions worldwide approach operational resilience. The question isn't whether DORA will become a global standard, but how quickly non-EU regulators will develop their own versions.

Key implications:

• Non-EU financial centres like London, New York, and Singapore are likely to develop similar frameworks, potentially using DORA as a template while adapting to local contexts
• Global financial institutions may choose to apply DORA standards universally across their operations, creating a "highest common denominator" effect
• Technology providers serving the financial sector will need to build DORA compliance into their products, effectively extending the regulation's reach beyond financial institutions
• The standardisation of operational resilience requirements could create new opportunities for RegTech solutions, similar to how GDPR spawned an entire privacy tech industry
  
  

When Algorithms Meet Auditors: The Challenge of AI Resilience

The financial sector's growing reliance on AI systems presents a unique challenge for DORA compliance. How do you prove an AI system is "resilient" when its decision-making process might not be fully transparent? As financial institutions increasingly deploy AI for critical operations, from risk assessment to trading, they face the complex task of ensuring these systems meet DORA's requirements for operational resilience. This creates an intriguing paradox: we're increasingly using complex systems (AI) to manage complex systems (financial operations), potentially adding new layers of opacity to processes that regulators want to make more transparent.

Key challenges:

• Traditional audit trails follow clear, linear processes, but AI systems often make decisions based on complex patterns that can be difficult to document and explain
• The concept of "testing" takes on new meaning with AI systems that continuously learn and adapt. How do you verify the resilience of a system that's constantly changing?
• There's a growing need for new frameworks to assess AI resilience, combining traditional operational risk management with emerging concepts in AI safety and reliability
• The intersection of AI governance and operational resilience could require new skill sets, blending technical expertise with regulatory knowledge in ways the industry hasn't seen before

If you’d like to speak with us about how we could help your firm use generative AI in this way, then feel free to book a call with us here.