The European financial sector stands at a crossroads, with relentless technological innovation colliding with regulatory pressure to protect the financial system against money laundering and terrorist financing. The 2025 Opinion and Report from the European Banking Authority (EBA) presents the most comprehensive view to date of the complex risk landscape, highlighting that money laundering and terrorist financing risks are not only growing but evolving in ways that demand immediate action from banks, regulators, and technology providers.

FinTech and RegTech: Money Laundering Risk Surges as Innovation Outpaces Oversight

FinTech solutions have exploded in popularity, driving a wave of new products and transforming how consumers interact with financial services. Yet this wave of innovation carries an unwelcome side effect: a surge in ML/TF vulnerabilities. According to the EBA’s findings, nearly 70% of EU competent authorities reported heightened money laundering and terrorist financing risks within the FinTech sector. Factors driving these risks include:

• Rapid customer acquisition at the expense of compliance controls
• Heavy reliance on outsourcing and white labelling, obscuring true accountability
• Insufficient expertise and lack of robust governance frameworks within FinTech firms

Outsourcing, especially through white labelling arrangements, has created layers of opacity, allowing non-financial entities to distribute products under their brand while relying on the regulatory cover of licensed partners. This complexity often leaves compliance gaps that can be exploited for illicit purposes. Supervisors noted that monitoring the true extent of white labelling has proven difficult, as arrangements may go unreported unless triggering certain regulatory thresholds.

RegTech, or regulatory technology, promises to modernize compliance by automating anti-money laundering and counter-terrorist financing (AML/CFT) tasks. However, the EBA report points out that these benefits are far from guaranteed. Many institutions deploy off-the-shelf RegTech solutions that are ill-suited to their specific risk profiles, or they rely too heavily on a handful of technology vendors. This creates systemic vulnerabilities, especially when institutions lack the skills or resources to validate and monitor these tools properly. In more than half of the institutions reporting material compliance failures, the root cause traced back to the improper deployment or oversight of RegTech.

The adoption of artificial intelligence (AI) in compliance is rising, with about 10% of EU banks experimenting with AI-driven solutions for AML/CFT. Yet, the EBA warns that banks’ understanding of AI risks is still limited, and recruitment of technical talent remains a significant bottleneck. Meanwhile, criminals are already leveraging AI for sophisticated frauds, document forgeries, and deepfake-enabled onboarding scams, making it harder than ever for compliance teams to keep up.

Crypto Assets and Stablecoins: New Regulation Meets Persistent Laundering Risks

Crypto asset service providers (CASPs) have multiplied across the EU, with both transaction volumes and the number of licensed entities soaring. Despite the forthcoming Markets in Crypto Assets Regulation (MiCA) and enhanced Funds Transfer Regulation (FTR), the EBA’s latest data underscores that the sector remains a high-risk environment for money laundering and terrorist financing.

Key risks identified include:

• Weak onboarding and customer due diligence practices
• Attempts by some CASPs to bypass regulatory licensing and AML/CFT controls
• Lack of transparency and oversight in crypto transactions, especially through stablecoins and e-money tokens

Supervisory inspections revealed that more than half of competent authorities consider the failure to adequately verify customer or beneficial owner identity as a major deficiency in CASP AML programs. The growing use of stablecoins and e-money tokens for terrorist financing is especially concerning. Criminals are turning to these instruments not just for the speed and pseudo-anonymity they offer, but also because peer-to-peer and self-hosted wallet transactions fall outside the conventional financial system’s monitoring reach.

The EBA report notes a rising trend in so-called “rug pull” scams, where investors are lured into fraudulent crypto tokens only to have the organizers vanish with the proceeds. These schemes, coupled with unregulated token sales and the integration of crypto assets into the broader payments ecosystem, create an intricate web of ML/TF risks that extend beyond just CASPs to payment institutions and e-money providers.

The introduction of MiCA, which becomes fully applicable from the end of 2024, is expected to create a more consistent and enforceable AML/CFT regime for crypto businesses. Under MiCA, all issuers of e-money tokens and CASPs must be authorized and subject to the same AML/CFT standards as traditional financial institutions. However, the transition period and the pace of supervisory enforcement remain sources of concern.

Sanctions, Fraud, and Corruption: Complex Threats Test the Limits of Compliance

The geopolitical climate has triggered an unprecedented wave of EU sanctions, creating an intricate compliance landscape for financial institutions. As sanctions packages become more complex and targeted, traditional list-based screening solutions have struggled to keep up. The EBA points out that many institutions lack adequate internal controls, risk assessments, and documentation to ensure full sanctions compliance, particularly for instant credit transfers and card-based payments where information gaps remain.

A particular challenge is the proliferation of “aggregator” payment cards, which can bundle multiple funding sources and obscure the true origin of funds. Such instruments may inadvertently facilitate sanctions evasion and complicate investigations.

Fraud risks have also escalated dramatically, driven by the proliferation of automation and AI. Payment fraud alone cost the EU over EUR 4.3 billion in 2022, with sophisticated phishing, malware, and ransomware attacks increasingly targeting banks, investment firms, and credit providers. Remote onboarding, a convenience accelerated by the pandemic, has become a prime target for deepfake-enabled identity fraud and synthetic identity creation. Money mules, often recruited through scams, continue to play a central role in laundering proceeds from these activities.

Corruption and risks related to politically exposed persons (PEPs) have not receded, with supervisors identifying persistent deficiencies in the application of enhanced due diligence. The EBA highlights a growing use of crypto and FinTech channels to facilitate bribery and the laundering of corrupt proceeds, noting that more robust cross-agency cooperation is needed, including between AML/CFT and anti-bribery authorities.

The EU is moving to close loopholes with new legislative packages, including the Anti-Money Laundering Regulation (AMLR) and updates to the Digital Markets Act (DMA), which will extend AML/CFT obligations to digital “gatekeepers” such as large e-money token issuers. A new EU directive on combating corruption is expected to reinforce the criminal liability of legal entities and demand the integration of anti-corruption monitoring into wider risk management frameworks.

Sector-by-Sector Analysis: Where the Highest Risks Remain

The EBA’s granular analysis reveals distinct sectoral vulnerabilities:

• Credit and Payment Institutions: Despite improvements in supervision and some positive trends in residual risk, these sectors still see high volumes of breaches—most often tied to customer due diligence failures, inadequate transaction monitoring, and poor outsourcing oversight.
• E-Money and Crypto Asset Service Providers: Both face rising inherent and residual risks, with weaknesses in governance, insufficient understanding of ML/TF risks, and rapidly evolving product offerings outpacing internal controls.
• Life Insurance and Investment Sectors: Tax crime laundering risks have declined thanks to focused supervision, but fraud and corruption (including the misuse of new investment products like NFTs and decentralized finance) are growing threats.

The EBA further notes that product and service risks have, for the first time, overtaken customer-related risks as the main drivers of money laundering vulnerability. However, a full 61% of breaches across all sectors remain due to shortcomings in customer due diligence.

Environmental crime is emerging as a new area of regulatory focus, with waste trafficking and associated laundering attracting supervisory attention in some Member States. Yet, exposure to such risks is still inconsistently identified or addressed.

The Path Forward: Strengthening EU AML/CFT Defenses

While the EBA acknowledges improved awareness and engagement from both supervisors and institutions, it warns that AML/CFT systems remain uneven and often struggle to keep pace with the changing threat landscape. Regulatory clarity, consistency, and the implementation of risk-based approaches are more critical than ever.

The coming into force of the new AML/CFT package, including the establishment of the EU Anti-Money Laundering Authority (AMLA), promises to harmonize standards, promote information sharing, and enable more robust supervision across borders and sectors. Key priorities include:

• Ensuring that new technologies (AI, RegTech, and crypto) are deployed responsibly, with adequate testing, oversight, and transparency
• Reducing gaps in sanctions screening and monitoring, particularly for emerging payment and crypto instruments
• Reinforcing governance, training, and specialist recruitment within compliance teams
• Extending AML/CFT expectations to new actors, including digital gatekeepers and non-traditional financial service providers
• Improving cooperation among AML/CFT, anti-corruption, and prudential supervisors

The challenge for the next two years will be translating regulatory intent into operational resilience, especially as criminals leverage technology to outpace compliance. Success will depend on the ability of institutions to adapt their risk assessments, invest in technology and skills, and maintain close collaboration with regulators and law enforcement. With the EU’s financial system under constant pressure from both external threats and internal innovation, the real test of AML/CFT effectiveness is only just beginning.

---

Related Links

• EBA Guidelines on Risk-Based AML/CFT Supervision
• Markets in Crypto-Assets Regulation (MiCA)
• EU Funds Transfer Regulation (2023/1113)
• EBA Guidelines on Restrictive Measures
• EU Directive on Combating Corruption (COM/2023/234)

Other FinCrime Central Articles About EBA’s Statements

• EBA Sees Significant Progress in Combating Money Laundering
• EBA Clearing’s Game-Changing Sepa-wide Verification of Payee Service

Source: EBA (PDF)

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand with us or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.