# Finray Intelligence Vendor-neutral, evidence-disciplined buyer guides for the people who procure, build and operate regulated financial infrastructure. Primary sources only. Conflicts of interest disclosed inline. - Source: https://finray.tech/intelligence/ - Editorial principle: primary sources, accessed-date on every URL - Disclosure: where a Finray product appears in a Finray Intelligence comparison, that product is recused from any qualitative ranking - Publisher: Finray Technologies Ltd, Cyprus Companies Registry HE 445903 - Correspondence and corrections: legal@finray.tech --- ## Methodology ### Editorial methodology How Finray Intelligence conducts research on regulated finance infrastructure, our editorial principles, and how we disclose conflicts of interest. - Read: https://finray.tech/intelligence/methodology/ - Markdown mirror: https://finray.tech/intelligence/methodology.md ## Buyer guides and forensic registers ### DORA Article 28 RTS/ITS Pack — entity-level RoI, third-party-policy and subcontracting controls - Cluster: Authority - Published: 2026-05-10 - Updated: 2026-05-11 The DORA Article 28 RTS/ITS Pack — Delegated Regulations 2024/1773 + 2025/532 and Implementing Regulation 2024/2956 — defines entity-level RoI templates, third-party-policy controls and subcontracting controls for ICT services supporting critical or important functions. The radar maps 34 RoI fields, 14 policy controls, 13 subcontracting controls and the 19 first-batch CTPPs. Ordinis recused. - Read: https://finray.tech/intelligence/dora-rts-its-pack/ - Markdown mirror: https://finray.tech/intelligence/dora-rts-its-pack.md ### FCA Supplementary Safeguarding Regime — CASS 15, CASS 10A, SUP 3A, SUP 16.14A operational delta - Cluster: Corebanq - Published: 2026-05-10 - Updated: 2026-05-11 The FCA PS25/12 Supplementary Safeguarding Regime introduces operational safeguarding rules in CASS 15, resolution-pack rules in CASS 10A, audit rules in SUP 3A and monthly REP027 reporting in SUP 16.14A. The radar maps 90+ controls across the four Handbook surfaces, the prior-regime change-delta, enforcement cases and the UK vendor universe. Corebanq recused. - Read: https://finray.tech/intelligence/fca-supplementary-safeguarding-regime/ - Markdown mirror: https://finray.tech/intelligence/fca-supplementary-safeguarding-regime.md ### Core banking deployment topology and regulatory alignment — multi-tenant SaaS vs single-tenant in customer cloud account - Cluster: Corebanq - Published: 2026-05-08 - Updated: 2026-05-08 DORA Articles 28 and 30, PRA SS2/21 and FINMA Circular 2018/3 require EU/EEA financial entities, UK firms and FINMA-supervised firms choosing core-banking deployment to prove outsourcing, audit, exit and concentration-risk controls. The graph maps 50 nodes and 148 edges across two topologies, 10 controls, 16 regulatory anchors, nine regulators and 13 vendor/product claims. Corebanq recused. - Read: https://finray.tech/intelligence/deployment-topology-regulatory-alignment/ - Markdown mirror: https://finray.tech/intelligence/deployment-topology-regulatory-alignment.md ### AMLR / AMLD6 / AMLA implementation pathway tracker - Cluster: Authority - Published: 2026-05-07 - Updated: 2026-05-07 AMLR Regulation (EU) 2024/1624, AMLD6 Directive (EU) 2024/1640 and AMLA Regulation Article 12 define whether EU/EEA obliged entities, including CASPs, remain under NCA/FIU supervision or move toward AMLA direct supervision. The tracker maps 111 nodes and 343 edges across four EU instruments, 31 jurisdictions, 61 regulator/FIU nodes and eight AMLA standards at the 2026-05-07 cut-off. - Read: https://finray.tech/intelligence/amlr-amla-implementation-tracker/ - Markdown mirror: https://finray.tech/intelligence/amlr-amla-implementation-tracker.md ### Safeguarding reconciliation is a solvency discipline - Cluster: Corebanq - Published: 2026-05-07 - Updated: 2026-05-09 EMI and PI safeguarding under PSD2 Article 10, EMD2 Article 7 and FCA PS25/12 is a daily solvency discipline, not a periodic compliance task. The radar maps 15 control nodes, four named enforcement cases (BlueSnap, Foxpay, Biilz, Currency Matters) and six vendors across CBI, Bank of Lithuania and FCA evidence. Corebanq recused from ranking. - Read: https://finray.tech/intelligence/safeguarding-reconciliation-solvency-discipline/ - Markdown mirror: https://finray.tech/intelligence/safeguarding-reconciliation-solvency-discipline.md ### The Travel Rule is not a compliance bolt-on. It is an identity routing problem. - Cluster: XZiel - Published: 2026-05-07 - Updated: 2026-05-09 CASPs and dual-rail Payment Institutions under TFR Articles 14-17, MiCA Article 82, EBA/GL/2024/11 and FATF R.15/R.16 must route identity, wallet, sanctions and monitoring evidence into transfer decisions. The radar maps 70 nodes and 183 edges across 16 controls, 12 vendors and 12 product artefacts; no CASP enforcement case is named. XZiel recused; TRM Labs disclosed. - Read: https://finray.tech/intelligence/travel-rule-identity-routing-problem/ - Markdown mirror: https://finray.tech/intelligence/travel-rule-identity-routing-problem.md ### DORA Article 28 ICT third-party Register of Information tracker - Cluster: Authority - Published: 2026-05-03 - Updated: 2026-05-03 DORA Article 28 requires regulated EU/EEA financial entities to maintain a Register of Information on ICT third-party arrangements and submit it to their National Competent Authority. This quarterly-refreshed tracker maps 92 nodes and 347 edges across 51 EU/EEA NCAs plus the EBA/ESMA/EIOPA consolidation layer, with portal status, deadline and schema at the 2026-05-03 cut-off. - Read: https://finray.tech/intelligence/dora-article-28-roi-tracker/ - Markdown mirror: https://finray.tech/intelligence/dora-article-28-roi-tracker.md ### EMI / PI authorisation-withdrawal forensic register (EEA + UK) - Cluster: Corebanq - Published: 2026-05-03 - Updated: 2026-05-03 Payment Institutions and E-Money Institutions under PSD2, EMD2 and UK PSRs Regulation 10 need to know which authorisations were revoked, cancelled, refused or lost through transition. This forensic register maps 63 named withdrawals across four regulator populations at the 2026-05-03 cut-off, classified into five withdrawal types. Corebanq recused. - Read: https://finray.tech/intelligence/emi-pi-authorisation-withdrawals/ - Markdown mirror: https://finray.tech/intelligence/emi-pi-authorisation-withdrawals.md ### EMI / PI licensing-success forensic register (EEA + UK) - Cluster: Corebanq - Published: 2026-05-03 Payment Institutions, E-Money Institutions and AISP-only firms under PSD2 Annex I, EMD2 and PSD2 Article 33 must align licence route, service scope, safeguarding, ICT and governance evidence with the authorised operating model. The forensic register maps 571 successful records across FCA, DNB, Bank of Lithuania and HNB at the 2026-05-02 cut-off. Corebanq recused. - Read: https://finray.tech/intelligence/emi-pi-licensing-success/ - Markdown mirror: https://finray.tech/intelligence/emi-pi-licensing-success.md ### MiCA CASP authorisation-withdrawal forensic register - Cluster: XZiel - Published: 2026-05-03 - Updated: 2026-05-03 Crypto-Asset Service Providers and pre-MiCA DASPs under MiCA transitional measures must know whether authorisations were revoked, voluntarily cancelled, refused, lapsed or not re-authorised. This forensic register maps 29 named withdrawals across AMF, MFSA and CySEC at the 2026-05-03 cut-off, classified into five withdrawal types. XZiel recused. - Read: https://finray.tech/intelligence/mica-casp-authorisation-withdrawals/ - Markdown mirror: https://finray.tech/intelligence/mica-casp-authorisation-withdrawals.md ### MiCA CASP licensing-success forensic analysis - Cluster: XZiel - Published: 2026-05-03 Crypto-Asset Service Providers under MiCA Articles 60 and 63 must choose whether the file is an already-regulated notification or CASP authorisation, with scope matched to governance, AML/CFT, custody and ICT evidence. The forensic register maps 177 successful ESMA interim-register records at 2026-04-24 across 20 jurisdictions, five applicant archetypes and service-scope breadth. XZiel recused. - Read: https://finray.tech/intelligence/mica-casp-licensing-success/ - Markdown mirror: https://finray.tech/intelligence/mica-casp-licensing-success.md ### CASP MiCA compliance operating model - Cluster: XZiel - Published: 2026-05-01 Crypto-Asset Service Providers authorised under MiCA Title V must operate a compliance model spanning AMLR, AMLD6, TFR, FATF Travel Rule and DORA obligations. This decision graph maps 94 nodes and 139 edges across 18 regulatory anchors, 10 control domains, 20 vendor nodes and 37 product nodes for buyer due diligence. XZiel recused from ranking. - Read: https://finray.tech/intelligence/casp-mica-compliance/ - Markdown mirror: https://finray.tech/intelligence/casp-mica-compliance.md ### EU/UK PI/EMI core banking selection - Cluster: Corebanq - Published: 2026-05-01 Payment Institutions and E-Money Institutions under PSD2 Article 10, UK PSR 2017 Regulation 23, PSD3/PSR, DORA and AMLR must select core banking software that evidences ledger, safeguarding, resilience, outsourcing and audit controls. This decision graph maps 61 nodes and 100 edges across six RFP domains, 15 vendors and 21 product nodes. Corebanq recused. - Read: https://finray.tech/intelligence/eu-uk-pi-emi-core-banking/ - Markdown mirror: https://finray.tech/intelligence/eu-uk-pi-emi-core-banking.md ### Swiss FINMA GRC and ICS software - Cluster: Ordinis - Published: 2026-05-01 Swiss banks, securities firms and asset managers under FINMASA, FINMA Circulars 2008/24, 2017/01, 2018/03 and 2023/01, AMLA and FADP must select GRC/ICS software that evidences control ownership, outsourcing, AML, operational-risk and audit work. This decision graph maps 82 nodes and 180 edges across seven controls, 14 vendors and 34 product nodes. Ordinis recused from ranking. - Read: https://finray.tech/intelligence/swiss-finma-grc-ics/ - Markdown mirror: https://finray.tech/intelligence/swiss-finma-grc-ics.md