Financial-sector firms increasingly depend on technology, and regulators have
responded by making operational resilience an explicit obligation. The Digital
Operational Resilience Act (DORA) sets expectations for how in-scope financial
entities manage information and communication technology (ICT) risk. For a firm
building payment and crypto infrastructure, resilience is not a bolt-on; it is
part of the architecture.
This guide outlines the main areas a resilience-minded operation should address.
ICT governance
Resilience starts with ownership. There should be a clear governance structure
for ICT risk: defined responsibilities, board-level awareness, documented
policies and a risk-management framework that treats ICT as a first-order risk
rather than a technical detail. Governance is what connects day-to-day technical
decisions to accountability.
Third-party risk
Modern financial infrastructure relies on third parties — cloud providers,
specialist vendors, data services. Each dependency is a potential point of
failure and a source of risk. Managing third-party risk involves knowing which
providers matter, assessing them before and during the relationship, and
understanding concentration risk where many functions depend on one provider.
Outsourcing oversight
Where functions are outsourced, oversight does not transfer with them. The firm
remains responsible for outcomes and must be able to monitor, and if necessary
challenge, its providers. Contracts and monitoring should reflect that
responsibility.
Incident management
Incidents will happen. What distinguishes a resilient firm is how it detects,
classifies, responds to and learns from them. An incident-management process
should define severity levels, response steps, communication paths and — where
required — reporting obligations. Recording incidents and their resolution builds
both institutional memory and evidence.
Resilience testing
Resilience that has never been tested is an assumption. Regular testing —
ranging from routine checks to more advanced exercises — validates that controls,
recovery procedures and dependencies actually work. Testing should be
proportionate to the firm’s size and risk, and its findings should feed back into
improvements.
Access controls
Strong access control is a foundation of both security and resilience.
Least-privilege access, strong authentication, segregation of duties and careful
management of privileged accounts reduce the chance that a single compromised
credential leads to a major incident. Access should be reviewed regularly, not
granted once and forgotten.
Business continuity
Business continuity planning ensures the firm can keep operating, or recover
quickly, through disruption. This includes defined recovery objectives, backup
and restoration procedures, and tested plans for the scenarios that would hurt
most. Continuity planning turns “what if” into a rehearsed response.
Exit planning
A specific and often neglected discipline is exit planning: being able to move
away from a critical provider in an orderly way if necessary. Without an exit
plan, a firm can become locked in, unable to respond if a provider fails or
becomes unsuitable. Planning the exit in advance preserves optionality and
reduces concentration risk.
Building resilience in from the start
For a firm still designing its platform, there is an advantage: resilience can be
built into the architecture rather than retrofitted. Clear governance, disciplined
third-party management, tested continuity and thoughtful access control are far
easier to establish early than to impose later.
Fintech Meta is being designed with operational resilience as a core
consideration, so that governance, third-party oversight, incident handling and
continuity are part of the operating model from the outset.
Practical takeaways
- Give ICT risk real governance and board-level ownership.
- Manage third-party and concentration risk, and retain outsourcing oversight.
- Define incident management and test resilience regularly.
- Enforce least-privilege access and plan for continuity and provider exit.
The capabilities described here are planned and will be delivered as part of
Fintech Meta’s operating model, subject to authorisation and implementation.
This article is for general information only and does not constitute legal,
regulatory or financial advice. Refer to DORA and qualified advisers for your
specific situation.