EBA Flags Rising AML Risks as FinTech & AI Outrun Oversight
Key Takeaways
- Tech-driven risk: Rapid growth in FinTech, RegTech, and AI is outpacing the financial sector’s ability to manage ML/TF risks.
- Crypto remains volatile: A 2.5x increase in crypto providers hasn’t come with the controls needed to keep financial crime at bay.
- Sanctions systems lagging: Many institutions still struggle with fragmented systems and complex EU sanctions frameworks.
- AI in the wrong hands: Criminals are leveraging AI to forge documents, automate laundering, and outsmart compliance systems.
- Progress in pockets: Tax crime and de-risking risks are easing, thanks to stronger supervisory action and better alignment on AML/CFT priorities.
Deep Dive
Innovation may be reshaping the financial sector but not always for the better. That’s the message coming through loud and clear in the European Banking Authority’s (EBA) latest biennial Opinion on money laundering and terrorist financing (ML/TF) risks.
Published today, the 2025 Opinion finds that while new technologies like RegTech, FinTech, crypto services, and artificial intelligence are transforming compliance and financial services, their careless or poorly governed use is introducing fresh vulnerabilities, and, in some cases, fueling financial crime.
The EBA’s assessment draws on data from 52 national authorities and covers developments from January 2022 through December 2024. It’s the fifth such Opinion since 2017, forming part of the EU’s broader effort to stay ahead of evolving ML/TF threats.
One of the most striking takeaways is that innovation is moving faster than risk management. Across the board, national regulators are seeing ML/TF risks either rise or remain stubbornly high in sectors that have embraced new technologies most rapidly.
- FinTech has become a hotbed of risk, with 70% of regulators flagging concerns. The sector’s focus on growth and speed has often come at the cost of sound governance and anti-money laundering controls. The EBA notes that some firms appear more focused on acquiring customers than understanding who those customers are.
- RegTech, intended to help automate compliance and reduce human error, isn’t faring much better. The EBA says more than half of serious compliance failures reported in its EuReCA database stem from misuse or misapplication of RegTech tools, often because firms don’t fully understand how to deploy them or rely on out-of-the-box solutions that just don’t fit.
- Crypto services continue to be a major weak point. Between 2022 and 2024, the number of authorised crypto-asset service providers (CASPs) more than doubled. But many still lack basic AML/CFT systems, and some have tried to avoid regulation altogether. The EBA highlights concerns about weak governance, questionable management, and a lack of transparency.
- AI-fueled crime is also on the rise. Criminals are now using artificial intelligence to create fake documents, automate laundering schemes, and bypass identity checks. Meanwhile, many financial institutions are struggling to keep up. The EBA calls for “responsible AI deployment,” backed by real-time monitoring, governance, and staff training.
Sanctions Compliance is Still a Weak Spot
Sanctions enforcement has emerged as another pain point. With EU sanctions regimes becoming more complex, many financial institutions still lack the systems and procedures needed to comply effectively.
Screening instant credit transfers, navigating sectoral sanctions, and managing fragmented information across payment systems are just some of the challenges. That’s why the EBA is rolling out two new sets of guidelines by the end of 2025, its first attempt to create EU-wide standards for sanctions compliance.
It’s not all doom and gloom though. The EBA points to some areas where sustained attention and regulatory coordination have paid off. For example, risks related to tax crimes and “unwarranted de-risking”, where institutions drop customers to avoid compliance headaches, are on the decline in most Member States.
Supervisory engagement has also stepped up across the board, with regulators conducting more inspections, issuing more guidance, and enforcing higher expectations for AML/CFT controls. In sectors like credit institutions, investment funds, and life insurance, residual risk levels are beginning to fall.
But the overall picture is uneven. The crypto, e-money, and payments sectors remain particularly exposed. And for the first time since these Opinions began, risks associated with products and services have overtaken risks linked to customer types.
More Clarity, Better Consistency, Smarter Tech Use
At its core, the EBA’s message is that technology can be a powerful ally in fighting financial crime, but only if it’s used responsibly, with proper oversight, governance, and expertise.
As the EU prepares to roll out its revamped AML/CFT legal framework, including the launch of the new Anti-Money Laundering Authority (AMLA), the need for clearer rules, consistent supervision, and a smarter, more risk-aware approach has never been more urgent.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.