‘Crypto remains high-risk sector for AML’ – EBA
A report from the European Banking Authority (EBA) on anti-money-laundering and terrorist-financing (AML/TF) says that “new vulnerabilities” are emerging.
Citing geopolitical developments, legislative reforms, and digitalisation, the EU’s banking watchdog says that 2025 marks “a significant change in the AML/TF risk landscape”.
The EBA published its biennial 2025 opinion on AML/TF yesterday (28 July), as required under an EU directive.
‘Weak controls’ in fintech
It noted that 70% of competent authorities reported “high or rising” AML/TF risks in the fintech sector, with weak controls and poor governance, adding that firms appeared to be prioritising growth over compliance.
“Key vulnerabilities include exposure to cybercrimes, outsourcing without effective oversight, and inadequate customer due-diligence controls,” the report said.
The EBA said that crypto “remains a high-risk sector”, with a 2.5-fold increase in authorised crypto-asset service providers (CASPs) between 2022 and 2024.
“Many CASPs lack effective AML/FT systems, and some attempt to bypass regulatory oversight,” the report stated.
AI ‘struggle’
The EBA also reported that criminals were increasingly using AI to automate laundering schemes, forge documents, and evade detection.
“Financial institutions struggle to keep pace with these sophisticated threats, highlighting the need for responsible AI use and robust monitoring,” it added.
The authority also expressed some concern about ‘regtech’ – technology used to help business comply with regulatory requirements.
The report found that over half of serious compliance failures reported to the EBA’s EuReCA database involved the improper use of regtech tools.
“Despite its potential to enhance compliance, regtech is often poorly implemented due to lack of expertise and oversight,” it stated.
Sanctions ‘complexity’
The EBA report found that the number and complexity of EU sanctions packages were posing significant challenges for financial institutions, “as they often cannot be implemented by using standard sanctions-screening tools”.
The regulator said that its two sets of guidelines on the issue, which set out common EU standards for financial institutions to comply with sanctions measures and come into effect from the end of 2025, would reduce the inconsistent implementation of such measures.
The opinion also highlighted some positive developments, saying that risks linked to tax crimes and unwarranted de-risking appeared to be decreasing.
Unwarranted de-risking refers to situations where institutions refuse or cancel business from customers or categories of customers without due consideration of their individual risk profiles.