ECB names new digital chief as QA climbs the priority ladder

The ECB's headquarters in Frankfurt, Germany
The ECB's headquarters in Frankfurt, Germany

The European Central Bank (ECB) in Frankfurt has appointed a new director general information systems, the person in charge of the central banking authority’s online infrastructure and digital transformation.

The ECB said in an email to QA Financial that Alain Busac will take up the role, thereby becoming responsible for delivering major IT modernisation projects and ensuring hat ECB’s cybersecurity policies are implemented.

Frenchman Busac will take up his new position at the ECB in the coming months, the bank confirmed. He will be based at the bank’s headquarters in Frankfurt, Germany.

Alain Busac
Alain Busac

In its brief statement, the bank stressed “Alain Busac has over 30 years of managerial experience in information technology” and said he “will drive the ECB’s digital transformation and IT modernisation projects.””

The ECB’s Directorate General Information Systems develops, delivers and supports the information and communication systems of the ECB, the Eurosystem/European System of Central Banks (ESCB) and the Single Supervisory Mechanism (SSM).

It also provides the governance structure for information systems at the ECB, including IT architecture and security policies, and for the common systems and services of the Eurosystem, ESCB and SSM.

French veteran

Paris-based Busac is currently still director of information systems for financial markets, monetary policy and payment infrastructures at the Banque de France, where he started as head of the section responsible for innovative business projects in 1991.

He subsequently held managerial roles in IT architecture, operations and procurement, and was chief technology officer from 2012 to 2018. Busac is currently responsible for the directorate’s IT system with a focus on digitalisation and the bank’s innovation initiative.

Busac holds a master’s degree in statistics and in economics from the Centre d’Études Statistiques and from the Université Louis Pasteur in Strasbourg.

Tech priorities

The appointment of industry insider Busac comes as the ECB, and financial institutions across the EU generally, are increasingly looking to tech, and in particular AI, to enhance their capabilities.

At the same time, regulation and oversight are tightening.

In February, for the first time, the ECB confirmed it is using artificial intelligence in its daily operations to monitor the activities of banks across Europe.

In fact, the ECB said it is increasingly using AI capabilities to supervise banks’ activities, a senior representative of the central banking body acknowledged.

Elizabeth McCaul, a member of the ECB supervisory board
Elizabeth McCaul

Elizabeth McCaul, a member of the central bank’s supervisory board, said the ECB had started integrating AI to improve the efficiency and effectiveness of supervisory processes.

“Currently, our AI applications enable us to query supervisory data and employ chatbot functionalities for supervisory regulations and methodologies,” McCaul revealed, writing in French trade publication Revue Banque.

She stressed the “unprecedented pace at which data is being generated in today’s digital era” has prompted the bank to turn to AI.

McCaul added that to analyse vast amounts of data, improve risk identification, support decision-making, and automate repetitive tasks AI can “significantly bolster the work of banking supervisors.”

DORA

Her comments came shortly after the EU Digital Operational Resilience Act (DORA), a major piece of new regulation, had been approved. It will come into force in less than a year.

Interestingly, the ECB will also be subject to DORA scrutiny, particularly since it is rapidly introducing AI tools to monitor and supervise banks across the bloc.

McCaul acknowledged the need for a major re-think within the financial services space, as she warned for risks associated with AI, which “remain not fully understood.”

This is “a clear dilemma” for banks, as she put it.

While AI can improve the customer experience, and enhance operational efficiencies as well as and risk management processes, it also presents several challenges, including data governance risks and emerging operational, model management and accountability risks.

McCaul pointed out that banks are increasingly AI in the race to remain competitive while upholding risk management responsibilities.

She did not detail or elaborate on what kind of AI platforms or tools the ECB uses, who developed them or how and when they are used, nor where or how they are deployed while interacting with banks across Europe.

Eight months to go

DORA is increasingly becoming a priority for financial services firms, lawyers, ICT companies and regulators across the EU.

With less than nine months before DORA will come into force, lawyers, QA teams and compliance officers are trying to make sense of the maze of rules.

Intended to address the rising threat of cyber attacks and the financial sector’s increasing reliance on digital technology, DORA sets out a comprehensive regulatory framework aimed at enhancing the digital operational resilience of financial entities in the EU.

Evidently, the legislation represents a major shift in the EU’s approach to ensuring the robustness and reliability of digital operations within the financial sector.



With the deadline for complying with DORA set for 17 January of next year, pressure is mounting on financial institutions and service providers across the industry to start preparing for the new regulatory framework.

The enforcement of DORA will be overseen by national regulators within each EU member state with the power to impose penalties for non-compliance. They will be directly supervised by lead overseers from the European Supervisory Authorities.

Moreover, DORA also encourages voluntary information sharing among financial entities regarding the emerging landscape of cyber threats.

Mass-training exercise

In preparation for DORA, large banks, financial institutions and other financial services (FS) players across the European Union have been urged to take part in a voluntary mass-training exercise ahead of DORA coming into force, as QA Financial reported earlier this month.

Banks across all EU member states, as well as insurers, asset managers and other financial firms have been invited by the European Supervisory Authorities (ESA) to join the mass-testing exercise, which is scheduled to take place next month. An exact date has not been set yet.

The test is co-coordinated by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) as well as the European Securities and Markets Authority (ESMA).

Firms that agree to take part will be asked to hand over the agreements they have in place with any ICT third party providers they work with.

Starting later this month, participating firms will be expected to forward their registers to the ESA through their relevant national watchdogs before the end of August.

Providing this information is an important part of DORA because, once in effect, financial firms will be required to register any contractual arrangements they have with third party ICT firms.

In the invitation letter to firms, which was sent in April, the ESA explained they plan to offer extensive help, support and guidance to firms to help them create and maintain a register.

The regulator indicated it will soon propose a standard format and data quality testing will become an important part of the process.

Firms will then be asked to hand over their registers to the ESA through their relevant national watchdogs, most likely between early July and late August.

Tighter regulation

DORA is among several recent and emerging regulations in the EU, created to enhance and standardise requirements for enterprise cyber resiliency.

The rules are specifically for financial entities operating across the EU 27 — including banks, insurance companies, credit agencies and more — and third-party service providers that serve them.

Ahead of the January 2025 deadline, the European Commission formally adopted a number of DORA stipulations in February.

The EU’s executive body issued a whole set of secondary legislation that set out detailed, technical rules specifying some of the key provisions of DORA.

Firstly, it has now been confirmed that DORA will introduce an ‘oversight framework’, which did not exist under pre-existing outsourcing regulations.


Become a QA Financial subscriber – for FREE

* News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events

REGISTER HERE TODAY


ICT third-party service providers that are designated as ‘critical’ will be made subject to regulatory scrutiny, largely overseen by the ESA, which are the above-mentioned ESMA, EBA and EIOPA.

This approach allows the ESA to investigate and inspect providers in relation to IT security, risk management and governance issues.

The framework also gives ESA the power to make recommendations and issue fines of up to 1% of the ICT third-party provider’s annual worldwide turnover.

Moreover, the EC also detailed the criteria “for the designation of ICT third-party service providers as critical for financial entities.”

In other words, it set out what ‘critical ICT providers’ are. In addition, the EU body also introduced a vast and fairly complex structure for oversight fees.

‘Critical’ providers

To determine whether an ICT third-party service provider is ‘critical’ for banks, insurance firms and other financial entities, the ESAs will use sub-criteria in a two-step approach assessment.

Firstly, the ESAs will take into account important ICT services and the diversity and number of financial institutions that use those services.

This is primarily done to “filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers.”

After this ‘first selection’ of ICT third-party service providers, a further in-depth analysis will be carried out that focuses on a range of sub-criteria.

So far, the EC has not set out these standards but has hinted that, in some cases, it will be left to individual member states to fill these gaps.


READ MORE