On 28 of July, the European Banking Authority (EBA) published its biennial ‘Opinion and Report on Money Laundering and Terrorist Financing risks’ {1}. The 2025 report highlights the rapid evolution of financial technologies and the widespread new financial products, as well as the new vulnerabilities that have arisen since the last published Opinion in 2023. EBA identifies a complex and rapidly changing landscape in the EU’s financial sector, with Fintech, RegTech, and AI at the centre of these developments.
Despite some positive developments, the report also underscores ongoing and emerging challenges that require attention. Although positive trends have been highlighted since the publication of the last Opinion—such as the reduction in tax crime risks and the decline in unnecessary de-risking—the risks related to payment institutions, e-money and crypto sectors have increased. In addition, the Opinion highlights that terrorist financing risks have not been addressed effectively. The rapid growth of Fintech and crypto assets has introduced new vulnerabilities and several institutions throughout the EU were found to lack robust assessment and monitoring frameworks relating to cybercrime, fraud, corruption, sanctions evasion and terrorist financing risks.
In its cross-sectoral assessment, the EBA identified several key vulnerabilities, including the Fintech business, white labelling and oversight challenges, risks associated with virtual IBANs, RegTech, CASPs and the increasingly complexity of the sanction’s regime, amongst others. Some of the noteworthy vulnerabilities include:
- FinTech firms appear to prioritise growth over compliance
The rapid growth of Fintech firms, seems not to have been accompanied by the expected proportional effectiveness of Fintech’s AML/CFT systems and controls. Additionally, new risks have emerged due to the prioritization of customer acquisition and rapid growth over developing robust compliance frameworks.
- The unthinking use of RegTech
Although RegTech is seen as a valuable tool for better compliance, it also poses significant ML/TF risks. The three most significant risks appear to be derived from outsourcing, automation without effective monitoring and lack of in-house skills. These risks have resulted in compliance failures especially when the RegTech solution is not fully understood and not tailored to the specific needs of the entity.
- Concerns around CASPs’ ability to identify and manage ML/TF risk
EBA highlights the substantial growth in the number of licensed CASPs, along with the new vulnerabilities arising from this expansion. While the number of transactions processed by CASPs continues to increase, AML/CFT controls and systems appear to be lacking in certain areas such as that related to CDD verification. In addition, there has also been an increase in fraud related crimes. In general, the Opinion highlights a lack of understanding of the ML/TF risks associated with business relationships.
Law enforcement investigations have identified that cryptocurrencies continue to be used to transfer funds for terrorism financing, with a shift from Bitcoins towards stablecoins being observed, since the last Opinion.
- Increasing risks of non-compliance with restrictive measures due to the complexity of successive sanctions
The complexity of EU sanctions regimes is presenting new challenges for financial institutions. Many entities lack robust policies and systems to deal and manage the intricate web of sanctions that have been put into place. The Opinion also highlights the need for strong internal processes, better governance arrangements and improved exposure assessments.
When assessing the AML/CFT trends by sector, the EBA identified that:
- inherent ML/TF risks increased in payment institutions, e-money institutions and crypto assets service providers;
- residual risk has improved for credit institutions, investment funds and life insurance providers; and
- residual risk exceeds inherent risks in the payment, e-money and crypto sectors.
The EBA makes reference to the upcoming regulatory changes and states that the financial sector should drive innovation to combat ML/TF risks and uneven effectiveness of AML/CFT systems across the EU. The EBA calls for consistency, responsible technology adoption, and improved cross-border coordination, especially in crypto.
