01
DORA third-party register at scale
Mapping every ICT third-party arrangement to Article 28 fields, plus criticality, exit strategies, contract clauses.
IMPACTSupervisors expect the register at first review.
SECTOR PRACTICE · FINANCIAL SERVICES
EU compliance for financial services
Advisory for banks, insurers, investment firms and fintech
REGULATIONS.STACK · FINANCE● 09
DORAICT risk and resilience
MIFIDConduct, suitability, reporting
AMLRAML/CFT programme
MICACrypto-asset services
PSD2Payment services, SCA
GDPRCustomer data, transfers
CRR/CRDPrudential reporting
MARMarket abuse
SFDRSustainability disclosure
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHO WE SERVE
Six financial profiles, one compliance map.
From traditional banks to fintech and crypto. The regulatory load depends on authorisation type, customer base and product set.
BANKS
Banks and credit institutions
Prudential reporting, ICT resilience, AML, customer protection.
CRR/CRDDORAAMLR
INSURANCE
Insurers and reinsurers
Solvency II, IDD, DORA, GDPR for claims and underwriting.
DORAGDPRAML
INVESTMENT
Investment firms and managers
MiFID II conduct, MAR surveillance, SFDR disclosure, AIFMD.
MIFIDMARSFDR
PAYMENTS
Payment and e-money institutions
Authorisation, SCA, safeguarding, ICT resilience.
PSD2DORAAML
CRYPTO
Crypto-asset service providers
MiCA authorisation, custody rules, market abuse for crypto.
MICAAMLGDPR
FINTECH
Fintech and challenger banks
Multi-licence stacks (PSD2 + e-money), AI Act for credit scoring.
PSD2AI ACTGDPR
§ 02 / LANDSCAPE
The financial-sector regulatory clock.
Eight regimes interlock. We sequence them around your release cadence.
LIVEGDPR
IN FORCE
Customer data and transfers
Lawful basis for credit decisions, AML data sharing, breach reporting, customer rights at scale.
LIVEMIFID
IN FORCE
Conduct of business
Suitability, product governance, transaction reporting, best execution, recordkeeping.
LIVEDORA
IN FORCE
Digital operational resilience
ICT risk framework, third-party register, TLPT, major incident reporting to supervisors.
LIVEMICA
IN FORCE
Crypto-asset services
CASP authorisation, custody and conflicts rules, market abuse provisions, white-paper.
CRITICALAMLR
JUL 2027
AML Regulation and AMLA
Single rulebook replaces AMLD. AMLA takes over supervision of major obliged entities.
NEXTPSD3
2026
Payment Services revision
PSD3 and PSR replace PSD2. New rules on fraud liability, open finance, strong customer authentication.
NEXTSFDR
2026+
SFDR review and Level 2
ESMA-led review of SFDR categorisation. Potential overhaul of Article 8 and 9 framework.
PLANNEDFIDA
TBD
Financial Data Access
Cross-sector open-finance regime. Consumer-permissioned data sharing across financial institutions.
§ 03 / WHAT TO SOLVE
Where financial firms get stuck.
02
AML transaction monitoring tuning
Overshooting on alerts produces backlogs. Undershooting leads to enforcement letters. The model needs continuous tuning.
IMPACTFIU referrals stall when monitoring is mis-calibrated.
03
MiFID II conduct and suitability
Suitability assessments at point of sale, post-trade monitoring, product governance per target market.
IMPACTSix-figure fines for systemic suitability failings.
04
MiCA authorisation backlog
Crypto-asset service providers need full authorisation by end of transition. NCAs reporting longer review cycles.
IMPACTNo authorisation means no EU operation.
05
Cross-border supervision
Lead supervisor + host authorities + ESMA + EBA. Coordination between authorities adds reporting load.
IMPACTMultiple consistent filings needed in parallel.
06
Board-level personal liability
DORA, NIS2 and the SREP all push accountability to named executives. Board minutes become evidence.
IMPACTPersonal sanctions for compliance officers and MLROs.
§ 04 / OFFERING
Our Services for Financial Sector
FX-01
DORA programme
Third-party register, ICT risk framework, TLPT, exit strategies, supervisory reporting.
DRegisterDICT frameworkDReporting
FX-02
AML/CFT programme rebuild
Programme effectiveness review, transaction monitoring tuning, sanctions screening, SAR workflow.
DProgrammeDTuningDFIU liaison
FX-03
MiFID II conduct framework
Suitability and appropriateness, product governance, best execution, transaction reporting.
DSuitabilityDProduct govDBest ex
FX-04
MiCA authorisation file
CASP authorisation dossier, white-paper review, custody policy, market-abuse framework for crypto.
DAuthorisationDWhite-paperDCustody
FX-05
PSD2 / PSD3 compliance
SCA implementation, fraud reporting, safeguarding, complaint handling, open-banking compliance.
DSCADSafeguardingDReporting
FX-06
Prudential and SREP preparation
ICAAP, ILAAP, COREP/FINREP, on-site preparation, dialogue with the supervisor.
DICAAPDFINREP/COREPDOn-site
FX-07
Market abuse surveillance
Insider lists, STOR workflow, PDMR notifications, market-sounding records, surveillance calibration.
DInsider listsDSTORDCalibration
FX-08
SFDR and sustainability disclosure
Article 8 and 9 classification, PAI statements, taxonomy alignment, double materiality.
DClassificationDPAIDTaxonomy
FX-09
Outsourced compliance officer
Second-line support for Head of Compliance, MLRO and DORA owner. Monthly retainer.
DRetainerDFilingsDBoard memos
§ 05 / SELECTED WORK
All case studies →Financial-sector engagements.
CASE 01Mid-market bank
DORA programme live across three jurisdictions, register accepted at first supervisory review.
3
ENTITIES
47
TPPS
Passed
REVIEW
SCOPEDORA · ICT · Third-party register · Exit strategies
CASE 02Payment institution
ZAG authorisation file accepted by HNB at first review, AML programme live.
11
WEEKS
0
RFI
On plan
GO-LIVE
SCOPEZAG authorisation · AML programme · Safeguarding
CASE 03Asset manager
MiFID II conduct rebuild, suitability and product governance live in 90 days.
47
FUNDS
3
QUARTERS
0
MAR FLAGS
SCOPEMiFID II · Suitability · Product gov · MAR
§ 06 / FREE TOOL
Map your financial stack to the EU rulebook.
Eight questions about your authorisation, products and customer base. Get an indicative obligations map across DORA, MiFID, AML, MiCA, PSD2 and SFDR.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Are you a CASP under MiCA, an MTF, or providing ancillary services?
Yes, CASP (custody, exchange, trading)A
Yes, MTF or trading venueB
Ancillary services only (research, custody adjacent)C
Not crypto-relatedD
INDICATIVE → MICA TITLE V + ART. 88
§ 07 / FAQ
Frequently Asked Questions
01Are we in DORA scope?+
Yes if you are a financial entity listed in Article 2: banks, payment institutions, e-money institutions, investment firms, asset managers, insurers, MiCA-authorised CASPs and crypto-asset providers. The register applies to every ICT third-party arrangement.
02How fast can you mobilise on a regulator-driven remediation?+
Within 5 business days. Day one to five is scope, plan and milestone agreement. From week two we run weekly status against the supervisor's deadlines.
03Do you cover MiCA authorisation end-to-end?+
Yes. We build the dossier, draft the white-paper, set up custody and conflicts policies, and run the dry-run interview with the regulator. We have completed CASP authorisations across multiple Member States.
04Can you act as compliance officer?+
In most jurisdictions the compliance officer must be an internal appointment. We support the role with second-line capacity, drafts, monitoring and board materials. We have served as the responsible person for some specific structures.
05How do you handle AML transaction monitoring tuning?+
We run an effectiveness review, recalibrate the rules and thresholds against your actual portfolio risk, document the changes for FIU and supervisory review, and embed quarterly tuning cycles.
06Do you cover SFDR Article 8 and 9 classification?+
Yes. We map products, draft pre-contractual disclosures, build the PAI statement and align with the EU Taxonomy. We track the Level 2 review and adjust as the framework evolves.
07How do you bill?+
Programme set-up is fixed scope. Compliance officer support is a monthly retainer with a defined deliverable calendar. Independent reviews are fixed fee on a scope letter.
08Do you work with our internal audit?+
Yes. We coordinate with internal audit, external auditors and counsel. Our work product is signed off by your Head of Compliance or MLRO.
§ 08 / RELATED
Related practices.
Financial Compliance
DORA, MiFID II, AML programme and supervisory authority liaison.
Open practice →Cybersecurity
ISMS, ISO 27001, NIS2 controls and DORA ICT risk framework.
Open practice →Vendor Risk
Third-party due diligence and DORA Art. 28 register.
Open practice →09 / GET STARTED
Ensure compliance of your financial institution
Typical outcomes: ready for DORA 2025, NIS2 minimum controls, AML program operating.