Pension administration organisations should not be designated as critical third-party providers of ICT services under the Digital Operational Resilience Act (DORA) regulations, the Dutch Pension Federation (PF) has said.

In its response to the European Supervisory Authorities’ consultation, the PF argued that there was no reason for additional supervision of pension administration organisations.

DORA outlines additional requirements for ICT suppliers of financial institutions and aims to place ‘big tech’ parties that are of systemic importance for the stability of the financial sector, such as cloud services and software providers, under European supervision.

The PF noted that some Dutch pension administration organisations could fall into the category set out in the consultation of ‘services to 10 per cent of the assets under management of a type of financial entity’.

It explained that several pension administration organisations serve 10 per cent of the assets of European IORPs, which are pension institutions that fall under the EU IORP II Directive.

“With our response we try to prevent critical third-party ICT service providers indications for pension administration organisations,” the PF continued.

“In our position paper, we first argue that pension administration organisations are not ICT service providers. They only use ICT for providing pension services.

“Second, DORA surveillance of pension administration organisations is already sufficient. Pension administration organisations come under indirect supervision via the funds. And since they all operate within national borders, there are no gaps in supervision. Double supervision should be avoided.

“Thirdly, the criterion 'services to 10 per cent of the assets under management of a type of financial entity' is not appropriate for the IORP sector, where the Netherlands is a big fish in a small pond.

“A holistic analysis should show that the ICT risks at pension administration organisations are not critical.”

Share Story: