On 1 February 2024, the European Supervisory Authorities (ESAs) published a report on a 2023 stocktaking of direct financial services offered by BigTechs[1] in the EU (the Report).  

The Report highlights certain characteristics of BigTech firms, in particular various types of inter-dependencies between BigTechs’ non-financial and financial services offerings, and identifies opportunities and risks flowing from these inter-dependencies. It also records national competent authorities’ supervisory and regulatory observations as well as some initial suggestions how these could be addressed. Lastly, it states that, as a next step, the ESAs will establish a “multi-faceted data matrix” to enhance their monitoring of BigTech firms.


In 2020, the European Securities and Markets Authority (ESMA) published an article considering the potential competitive advantages that could allow BigTech firms to expand their financial services offerings rapidly, the potential benefits and risks flowing from such expansion, and possible implications for regulators.

In the UK, the Financial Conduct Authority (FCA) has focused especially on the competition impacts of the entry of BigTech firms in the financial services sector, publishing a Discussion Paper on this question in October 2022 and a Feedback Statement in July 2023, and, in November 2023, a Call for Input on the potential competition impacts arising specifically from the data asymmetry between BigTech firms and firms in financial services.

The Report summarises findings following a stocktake of BigTech subsidiaries carrying out financial services in the EU, conducted by the ESAs in accordance with the ESAs’ mandate to monitor innovation in the financial sector, via the European Forum for Innovation Facilitators (EFIF). It follows the ESAs’ 2022 joint response to the European Commission’s Call for Advice on Digital Finance.

Opportunities and Risks

The Report notes that, in general, BigTechs leverage common data pools and infrastructures that may help them gain a competitive advantage in markets for a variety of non-financial and financial services. In addition to these “intra-group dependencies”, there are also external dependencies between BigTechs and financial institutions, e.g., where they enter into partnerships or where financial institutions outsource services to BigTechs.

As regards intra-group dependencies, the Report identifies a number of opportunities and risks:

Technological Dependencies (use of group-wide capabilities, common infrastructure, systems and tools)  Ability to offer technologically superior services (uniform, more user-friendly)
Operational efficiency and economies of scale due to shared use of common technological infrastructure, data process/analytics tools
— Operational resilience and cybersecurity risks, given shared infrastructures (and BigTechs’ large data pools make them attractive targets for cyber-attacks)
Financial Dependencies—  Ability to leverage group financial resources, including raising funds and possibilities to reallocate funds internally—  Financial difficulties or failure of one group entities may affect entire group (including through reputational spillovers)
Structural Dependencies (including data)—  Deeper understanding of group activities, economies of scale and network effects, e.g., because of shared governance and compliance teams
—  Ability to improve and expand services by using of shared datasets
—  Additional potential for conflicts of interest
—  Risk of insufficient management attention to, or expertise on, relevant risks
—  Risk of data abuse/mishandling of customer data (as well as tailored advertising of BigTechs’ own products and services), due to re-use of data from different sectors/for different scopes, based on customer consent (given without full appreciation of implications)
Strategic dependencies—  Coordinated/holistic approach to business strategy, across several countries and financial/non-financial services
—  Use of customer data across group to anticipate customer needs, build clear customer acquisition channels
—  Additional reputational risk in the form of potential spillovers of loss of consumer confidence from non-financial services offering to financial services offering (e.g.,  in case of data loss following cyberattack)

The Report mentions additional risks resulting from external dependencies, including:

  • Financial, operational or reputational risks;
  • Risks of insufficient understanding/visibility on the part of consumers, e.g., in the case of ‘white labelling’ (where a financial institution provides a product or service that is branded with a BigTech brand)

These risks may result in a number of harmful potential outcomes, including:

  • Unlevel playing fields between incumbents and BigTech;
  • Risks to the EU’s strategic autonomy in the event of growing concentration of market power by groups that do not have their head offices in the EU;
  • Threat to financial stability in the event direct financial services activities were to increase.

Supervisory and Regulatory Observations

The Report further sets out a number of supervisory and regulatory issues identified by national competent authorities. These include:

  • BigTechs pose no financial stability risks at present, given that, despite an increasing presence, BigTechs’ provision of direct financial services remains limited. However, further increase of their activities may result in risks to financial stability.
  • Poor notification practices: BigTech subsidiaries leverage their right to passport their services across EU Member State borders. This requires certain regulatory notifications to their home Member State authorities, but these notifications are perceived not to have been adequate in the past. This creates challenges in terms of monitoring and ensuring compliance (especially as regards conduct of business requirements, which may be jurisdiction-specific).
  • Poor visibility of intra-group connections, such as infrastructure, data, and funding.
  • Challenges in identifying supervisory counterparts, both in cross-border and cross-disciplinary terms (e.g., competition or data protection authorities).
  • Challenges in monitoring the significance of BigTechs, both as regards the direct provision of financial services by BigTech subsidiaries as well as BigTechs’ indirect role as supplier of financial services firms.
  • Challenges in identifying white labelling and associated opportunities and risks.
  • Insufficient consideration of aggregated risks arising from inter-dependencies, given the activities-based (“bottom-up”) approach of regulatory regimes applicable to financial services, without frameworks for wider consolidated/conglomerate supervision.
  • Unlevel playing fields, especially given the rules for prudential consolidation (for banking groups) and conglomerates supervision (for mixed banking and insurance groups), whereas BigTechs (without a bank within the group) are not subject to similar requirements.

Conclusions and Next Steps

The Report sets out a number of possible measures that could be considered to address or mitigate the concerns identified by national competent authorities, including:

  • Improved communication among authorities, including a more structured dialogue between different supervisors of BigTech groups active in financial services as well as an enhanced dialogue between financial supervisors and other authorities (e.g., data protection and consumer protection authorities, especially following the entry into force of the Digital Markets Act and the Digital Services Act). This may be via the EFIF or other ad-hoc supervisory settings.
  • New criteria to facilitate monitoring of the significance of BigTechs in financial services (e.g., in terms of systemic relevance, level playing field and other potential risks). Such criteria may include the types of services carried out, number of the users engaged, number of EU financial institutions with which there is a specific partnership, and specific risk factors.
  • Potential new powers or revision of the scope of consolidated/conglomerates supervision rules, to mitigate cross-entity/group risks (e.g., to address aggregated conduct or prudential risks). The Report includes a reference to suggestions cited by the Bank for International Settlements, including a ‘segregation approach’ (that would require BigTechs to be grouped under the business model of a financial holding company, with the possibility of enhanced ring-fencing rules and prudential requirements) and an ‘inclusion approach’ (that would involve a new regulatory category specifically for BigTechs with significant financial activities, to which group-wide requirements on governance, conduct of business, operational resilience and, where appropriate, financial soundness would apply).

As an immediate next step, the Report envisages the establishment, in the context of the EFIF starting from 2024, of a “multi-faceted data matrix”. The matrix would combine data on BigTechs’ role as direct financial service providers with other data sources (e.g., as technology providers and gatekeeper platform providers), aiming to provide a better-structured, more granular and dynamic activities mapping, including to monitor the scale of direct provision of financial services by BigTechs in the EU.

[1] The Report defines ‘BigTechs’ as “large technology companies with extensive customer networks [including] firms with core businesses in social media, internet search, software, online retail and telecoms”.