Door two

Financial Sector

Fintech, payments, and crypto carry two data obligations that land at the same time: privacy under the GDPR — including the personal data your KYC and screening generate — and ICT operational resilience under DORA. They run on the same systems and the same vendors. Privello covers both from one desk so they agree with each other, and coordinates with your financial-crime team where the two meet.

Do you need this

This engagement is for you if

  • You are a payment institution, e-money firm, investment firm, crypto-asset service provider, or a fintech serving regulated financial entities in the EU.
  • DORA has moved from a project on the roadmap to a supervisory expectation, and your ICT risk and third-party register are not yet where they need to be.
  • Your customer due diligence and screening generate personal data, and the privacy side of that is nobody's clear responsibility.
  • An enterprise partner or regulator has asked to see how your privacy and resilience controls fit together.

What it covers

Two obligations, one coordinated file

Data privacy and operational resilience are usually bought from two vendors. On the same systems, that produces contradictions. Privello runs them as one program — and keeps the privacy side of your financial-crime controls aligned with both.

Regulation (EU) 2016/679

Data privacy

Financial data is high-risk personal data. The engagement covers lawful basis, records of processing, DPIAs for scoring and screening, retention limits on due-diligence and KYC records, and the transfer mechanism behind any US or offshore processing — with GDPR breach notification lined up against DORA incident reporting.

Regulation (EU) 2022/2554 · from 17 Jan 2025

DORA resilience

The Digital Operational Resilience Act requires an ICT risk-management framework, a register of ICT third-party arrangements, major-incident reporting, and threat-led resilience testing. Privello builds the governance, the third-party register, and the incident playbook, and maps critical-provider dependencies.

Your KYC, customer due diligence, and sanctions screening generate personal data governed by the GDPR. Privello handles that privacy layer and coordinates with your AML function; it does not design or operate financial-crime controls. Regulation references describe the instruments Privello works with, for orientation, not as legal advice.

What you receive

Named deliverables

A defined set of documents and workflows that let your privacy and resilience obligations share the same evidence base.

Integrated risk assessment

One risk view across data protection and ICT resilience, so a single control can answer to more than one regulation.

DORA ICT framework

An ICT risk-management policy, a register of third-party ICT arrangements, and a major-incident reporting playbook.

Privacy for KYC & screening

The lawful basis, DPIAs, and retention rules for the personal data your customer due diligence and sanctions screening generate — the privacy layer over your AML controls.

Privacy for financial data

ROPA, DPIAs for scoring and screening, retention rules, and the transfer file behind offshore processing.

Vendor & third-party map

A single register of the processors and ICT providers that carry privacy and DORA weight at once.

Incident & breach alignment

A response plan that reconciles GDPR breach notification with DORA major-incident reporting on one timeline.

Every engagement is scoped in writing at a fixed fee before work begins — no hourly billing, no open-ended retainers.

How it runs

A four-step engagement

  1. 1. Scope. A working session to understand your licence, your systems, and where privacy and DORA bite hardest. Fixed scope, fixed fee.
  2. 2. Assess. An integrated gap assessment across privacy and DORA, mapped onto shared systems and vendors, flagging where your financial-crime data touches both.
  3. 3. Build. The frameworks, registers, and playbooks above, drafted so the three regimes reference one evidence base.
  4. 4. Hand over. A walkthrough with compliance, security, and engineering, so each obligation has an owner who can run it.

Common questions

Questions financial firms ask

Does DORA apply to us?

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied since 17 January 2025 to a broad range of EU financial entities — including banks, payment and e-money institutions, investment firms, and crypto-asset service providers — and reaches their critical ICT third-party providers. If you are a regulated financial entity in the EU or serve one, it is likely in scope.

Why handle financial-data privacy and DORA together?

Because they overlap. Financial data is high-risk personal data under the GDPR, DORA incident reporting interacts with GDPR breach notification, and both sit on the same systems and vendors. One advisor keeps the two from contradicting each other; two separate vendors often do not.

Do you handle our AML or financial-crime program?

No. Privello's financial-sector work is data privacy and DORA operational resilience, not anti-money-laundering. Where your KYC, customer due diligence, and screening generate personal data, Privello handles the privacy side of that — lawful basis, DPIAs, retention, and the transfer file — and coordinates with your AML function or MLRO, who own the financial-crime controls themselves.

Are you a law firm?

No. Privello is a data-regulation consultancy. Its founder is a U.S.-licensed attorney, and that is stated as a credential only. Where a matter requires formal legal advice, Privello works alongside your qualified counsel rather than replacing them.

We are a US fintech with EU customers but no EU licence. Does any of this reach us?

Often, yes. The GDPR applies to offering services to people in the EU regardless of where you are established, and DORA reaches ICT providers that serve regulated EU financial entities — so a US company can be pulled into scope through its customers. The scoping session establishes which obligations actually bite before anything is built.

We already have a DPO or compliance officer. How do you fit in?

Alongside them, not instead of them. Privello builds the frameworks, registers, and playbooks; your DPO, compliance, or security team owns and operates them day to day. Most engagements exist precisely because the internal team is fully occupied running controls and has no capacity to build the integrated file a supervisor or enterprise partner asks for.

Scope. Privello LLC is a data-regulation consultancy and is not a law firm. Patrick Smith is a U.S.-licensed attorney (State of Texas); his bar admission is stated as a credential only. Engagements are consulting engagements and do not create an attorney–client relationship. Privello's financial-sector work is data privacy and DORA resilience; it does not design or operate anti-money-laundering controls, file regulatory reports, or act as a licensed compliance officer. Where a matter requires formal legal advice, Privello coordinates qualified local counsel.

Begin

Line up privacy and DORA

Tell us about your licence, your systems, and where privacy and resilience are pulling against each other. We will outline how to run them as one program in a first conversation.