Financial Services

Report on 2023 stocktaking of Big-Tech direct financial services provision in the EU – the NCAs observations on key opportunities and risks

Written by

Dr. Michael Huertas

RegCORE Client Alert | EU Digital Single Market


The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published a report on 1 February 2024, setting out the results of a stocktake of BigTech direct financial services provision in the EU (the Report).See here.Show Footnote The Report highlights the types of financial services currently being performed by BigTechs in the EU pursuant to relevant licenses and sets out views on structural opportunities, risks, regulatory and supervisory challenges. 

The Report constitutes delivery of one of the European Forum for Innovation Facilitators’ (EFIF)The members of the EFIF consist of representatives from each innovation hub and regulatory sandbox established by national and European supervisors within the EEA. The EFIF contains representatives from all 30 countries within in the EEA, covering the banking/payments, insurance and securities markets sectors – see details here.Show Footnote work priorities for 2023 and elaborates the analysis conducted for the 2022 Joint ESAs Response to the European Commission 2021 Call for Advice on Digital Finance and related issues. That work had proposed recommendations in relation to the regulation and supervision of more fragmented or non-integrated value chains, platforms and bundling of various financial services, and risks of groups combining different activities. The EFIF provides a platform for supervisors to regularly exchange experiences of working with companies on innovation enablers, share technological expertise and find common views on the regulatory treatment of innovative products, services and business models.

Following the 2019 Joint ESAs report on regulatory sandboxes and innovation hubs, the EFIF was established due to the growing need for enhanced coordination and cooperation between innovation facilitators to support the scaling up of FinTech across the EU single market. The ESA’s proposals focused on the development of a Joint ESA “own-initiative” guidance, preferably as a Guideline, i.e. a rulemaking instrument, dealing with cooperation and coordination between innovation facilitators, as well as the establishment of an EU network to connect innovation facilitators at the Member State level, potentially mirroring the EU financial services’ passport system.See the entire Report on Fintech: Regulatory sandboxes and innovation hubs here.Show Footnote The 2019 report’s findings have been updated in the ESAs Report on Innovation Facilitators published in December 2023.See our Client Alert on that development here.Show Footnote

The most recent stocktake of BighTech’s engaged in provision of direct financial services was carried out through a survey developed by ESA staff in consultation with European Commission (Commission) staff and addressed to national competent authorities (NCAs). Remaining consistent with the approach of the Financial Stability Board (FSB), the definition of “BigTechs” for the scope of the survey was “large technology companies with extensive customer networks, including firms with core businesses in social media, internet search, software, online retail and telecoms”. In July 2023 the survey was sent out to EFIF members, consisting of all NCAs represented on the boards of the ESAs. In total, 24 NCAsMember States: AT, BE, BG, CZ, EE, FR, DE, EL, HU, IT, IE, LV, LU, MT, NL, PL, RO, SK, SI, ES, SE; EEA States: IS, LI, NO.Show Footnote representing 21 Member States and three EEA States participated in the survey.

This Client Alert assesses the key results of the cross-sectoral stocktake of BigTech subsidiaries carrying out financial services in the EU, the key opportunities and risks in terms of BigTechs’ intragroup and external dependencies as well as supervision and regulatory issues in the context of the market developments in relation to further steps of enhanced monitoring of the financial sector.

Key takeaways from the Report

In line with the ESAs’ mandate to monitor innovation in the financial sector and as part of EFIF’s work priorities for 2023, as mentioned above and as a follow-up to the ESAs’ 2022 joint-response to the EC’s Call for Advice on Digital Finance, the Report sheds light on the current market situation and potential synergies within financial services provision on behalf of BigTechs in the EU. 

  • Six BigTech subsidiary companies are authorised as e-money institutions in a total of five Member States, two as payment institutions, two as credit institutions, three as insurance intermediaries, and two as insurance undertakings. Accordingly, the Report notes that:
    • there has been a slight increase in the number of entities engaged in e-money activities and payment services in comparison to previous data, whilst the number of licensed credit institutions remains more limited. The insurance sector has seen an increase in active entities, but no subsidiaries active in securities and markets;
    • some NCAs reported additional BigTech financial services activities by Big-Techs, including credit intermediation, payment services under PSD2 exemptions, and financial leasing services;
    • the NCAs were approached by BigTechs through innovation facilitators concerning banking licenses and the provision of financial services. This suggests potential interest in various financial products and services; and
    • partnerships or cooperations with financial services for buy now pay later services, crypto-related services (e.g., stablecoins issuance), digital wallets provision, and tokenised identities for financial services are mentioned.
  • NCAs expect the tendency of BigTechs in Europe to target professional clients in the e-commerce sector for insurance, credit and payments, whilst focusing on their infrastructure provision for retail financial services;
  • NCAs were asked to give details on partnerships between registered or authorised BigTech subsidiaries and other financial institutions for offering financial services:
    • these reported confined partnerships between BigTechs and financial institutions, with some underlining white labelling / licenses-as-a-service partnerships;
    • partnerships involve messaging apps integrating an e-wallet for e-money transfer services, as well as e-wallet solutions and payment services for merchants;
    • some partnerships entail outsourcing arrangements for IT and similar services, which were excluded from the scope of the stocktake;
    • one NCA reported a co-innovation partnership between a BigTech subsidiary and a financial institution with the objective of jointly developing new service offerings for mutual commercial benefit; 
    • partnerships related to white labelling / license-as-a-service arrangements involve regulated or non-regulated companies offering financial services through white label providers, leveraging the provider’s license. Moreover, the Report found that this partnership model allows unregulated white label partners to offer financial services using the provider’s license, through which BigTechs may benefit by enabling them to offer products without direct authorisation, leveraging their brand and customer base; and
    • BigTechs harness shared data pools and infrastructures to gain competitive edges across various non-financial and financial service markets, baring both opportunities and risks, as outlined in the Report based on NCA inputs and emphasised by recent publications from BIS, FSB and FSI.
  • Potential opportunities identified in the Report included:
    • BigTech intragroup dependencies, including technological, financial, structural and strategic aspects, offer opportunities for leveraging group-wide capabilities;
    • reliance on technology empowers BigTechs to offer superior services with user-friendly interfaces and efficient back-office operations, thus capitalising on economies of scale;
    • financial dependencies allow them to utilise group resources for liquidity needs, expansion or investments, with fewer limitations due to prudential rules;
    • structural inter-dependencies, such as shared governance and regulatory compliance teams, leverage holistic business strategies and governance improvements; and
    • shared data pools strengthen the provision of tailored services and products to consumers, improving the visibility of a brand.
  • Potential risks that were summarised in the Report assessed that:
    • BigTechs’ financial services provision encompass both intra-group and external dependencies, as emphasised by NCAs;
    • common technology infrastructures and large data pools offer advantages but simultaneously raise concerns about operational resilience, increasing vulnerability to cyber-attacks or operational outages;
    • successful cyber-attacks leading to a loss of data or corruption pose reputational risks, potentially eroding investor and consumer confidence some of which could cause financial contagion effects;
    • sharing governance responsibilities, while offering opportunities, may lead to conflicts of interest and insufficient management attention to risks, compounded by opaque organisational structures spanning various sectors and jurisdictions;
    • risks of data abuse and mishandling stem from extensive personal data pools across multiple sources, which enable more precise advertising and pricing practices that may exploit consumer data without being fully covered by consent;
    • there is a potential for exclusion from financial services due to reliance solely on digital access channels or pricing practices that assess affordability by using extensive consumer data pools;
    • partnerships between BigTechs and financial institutions create external dependencies, particularly in cases of white labelling, where consumers do not have full access to information on contractual relationships;
    • increased direct provision of financial services by BigTechs could disrupt business models being followed of traditional institutions, potentially impacting financial stability through their reliance on vast consumer bases; and
    • concentration of market power by non-EU headquartered groups poses risks to the EU’s strategic autonomy. Possible mitigation through mandating the establishment of local subsidiary financial entities, which would not, however, fully erase the challenge of group-wide governance decisions and the offshore placement of data centres.
  • Supervision and regulatory issues. The Report found that: 
    • NCAs were invited to identify supervisory and regulatory issues in the context of market developments and potential opportunities and risks described in the previous chapters of the Report;
    • the majority of BigTech subsidiaries conduct financial services activities across borders, but the reliability of notification practices for cross-border provision may vary, posing challenges to the efficient enforcement of monitoring and compliance measures;
    • many financial services carried out by BigTechs fall under activities-based regulation without frameworks for wider consolidated supervision, creating challenges in overseeing intra-group connections and identifying relevant risks;
    • identifying supervisory counterparts across disciplines and borders may be complex, underlining the need for structured communication between supervisors of BigTech groups;
    • suggestions include establishing criteria to monitor the significance of BigTechs in financial services, examining systemic relevance, market stability, level playing field and potential risks, evening out quantitative data gaps through tracking BigTech activities; and
    • it is advisable to conduct additional thematic analysis, especially concerning the trend of white labelling, which applies beyond the spectrum of BigTechs. 
  • Regulatory framework and rulemaking issues. The Report concluded that: 
    • the current regulatory framework follows a bottom-up approach, applying regulations to specific financial activities of BigTech subsidiaries, but does not consider the entire scope of risks arising through interdependencies and/or over-concentration risks;
    • concerns regarding the need to revisit conglomerates or consolidated supervision rules will emerge if BigTechs providing direct financial services become more prominent;
    • techniques aimed at enhancing regulation and supervision contain two distinct approaches: the “segregation approach”, which involves consolidating BigTechs under a financial holding company governed by specific referencing rules, and the “inclusion approach”, which entails the establishment of a new regulatory classification for BigTech entities engaging in significant financial activities; and
    • considerations on (lack of) level playing field were emphasised in the Report, with banking and insurance groups subject to prudential consolidation or conglomerates supervision. However, regulatory arrangements for Big-Tech groups, which confine multiple financial intermediaries, may not be comparable, potentially resulting in uncovered risks and competition bias.

Key challenges and opportunities

In conclusion the Report highlights that NCAs see that increased communication between financial sector supervisors of BigTech subsidiaries providing financial services would benefit from the introduction of a common information exchange system. This common information exchange system would be in place for high level scanning. It would imply sharing of vast amounts of information between the home state NCA responsible for the supervision of different subsidiary companies performing financial services. This maylead to strengthened regulation of intra-group dependencies. Additionally, increased dialogue between financial supervisors and other authorities is advised. 

The Report in particular advocates strengthening interactions between data protection and consumer protection authorities. Due to BigTechs offering a broad range of services and through this their activities being covered by multiple regulatory authorities, it can pose a big challenge coordinating policies for BigTechs. Especially the interaction frequency and intensity between these different institutions require strengthening to counteract faced challenges. As suggested by certain NCAs, the EFIF could be used as a possible horizontal structure to promote supervisory dialogue in correspondingly the cross-sector and the cross-border dimensions, yet some other NCAs preferred a different ad-hoc supervisory layout. Generally, NCAs accepted and supported the findings set out in the Report response as well as the proposals to further strengthen the monitoring of the financial sector and besides the cross-disciplinary supervisory dialogue within the EFIF framework. These recommendations included: 

  • Ensuring effective regulation and supervision of mixed activity groups;
  • Strengthening supervisory capabilities and cooperation between financial and other responsible authorities (particularly on a cross-border and multi-disciplinary basis); and
  • Requirement for active monitoring of social media usage in financial services.

Key considerations for financial services firms

The results of the stocktake and the recommendations in the Report lead to following aspects that may require examination from financial services firms:

  1. assessment of how the increasing presence of BigTech subsidiaries might affect their competitive positioning. A deeper understanding of the services offered by BigTechs and their potential impact on market dynamics is necessary for strategic decision-making;
  2. the opportunities for innovation and collaboration with BigTechs should be explored. Partnering with BigTech subsidiaries or strengthening their technologies can improve product offerings, boost customer experience whilst driving efficiency;
  3. considering the regulatory examination regarding BigTechs’ involvement in financial services, firms must ensure upmost compliance with applicable regulations. This encompasses fully understanding regulatory requirements related to data privacy, consumer protection and financial liability. Additionally, the implementation of robust risk management practices to orderly mitigate possible risks through partnering with or competing against BigTechs is crucial;
  4. focused strengthening of customer engagement and experience to endure competition in the market. Possibly through leveraging data analytics, the use of artificial intelligence or other technologies to better personalise the products offered and upgrade service delivery;
  5. the need to act in accordance with technological advancements and trends influencing the financial services industry. Firms can remain competitive while meeting customer expectations from incorporating innovation and emerging technologies; and
  6. development of strategic and long-term plans, which consider the rapidly evolving landscape shaped by the presence of BigTechs.

Financial services firms may therefore be required to (more) proactively assess the implications of BigTechs’ growing presence in the European financial services market and quickly adapt their strategies and operations appropriately to benefit from arising opportunities whilst mitigating risks constructively. 

Outlook and next steps

The Report reveals a noticeable increase in the involvement of BigTech subsidiaries providing financial services in Europe, with their main focus areas being payments, e-money and insurance. Nevertheless, there is no indication that any BigTech subsidiaries are authorised to provide financial services in the area of traditional/tokenised securities and capital markets as of yet. Despite the ESAs nor the NCAs not currently expecting financial stability risks from the activities of BigTechs, they still emphasise the potential risks and regulatory challenges which may arise in the future in particular if BigTechs run into solvency issues.

In summary, the growing presence of BigTech subsidiaries providing financial services in the EU demands more proactive and regulatory efforts. The Report’s proposal to enhance monitoring of BigTechs through the EFIF, including the establishment of a comprehensive data matrix to track BigTech activities within the financial sector is a logical first step for increased supervisory scrutiny of (i) BigTech’s activities and (ii) financial services firms’ exposures to them. As technological advancements continue to drive expansion through innovation in financial services, regulators are required to remain adaptable by constantly evaluating and thus adjusting regulatory frameworks to ensure financial stability and safeguard consumer interests.

Lastly, the Report’s repeated highlighting of the importance for collaboration with other regulatory bodies, in particular when considering recent legislative changes opens the door, at least conceptually, for the ESAs to push for expanding the supervisory remit to BigTechs independently of other EU efforts such as those under the guise of the Digital Operational Resilience Act (DORA).

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via or our website.