.svg)
In its latest risk assessment, the European Banking Authority (EBA) has warned that poor practices and a lack of experience at fintechs, including payments and crypto firms, are undermining efforts to tackle financial crime.
The stark warning from the EU banking watchdog highlights how poor compliance practices and careless use of technology are fuelling money laundering (ML) and terrorist financing (TF) risks across the EU’s financial services sector.
In its 2025 opinion on ML/TF risks, the EBA said a majority of national regulators have expressed growing concern about fast-growing digital financial firms, particularly in the fintech and crypto sectors, where innovation appears to be outpacing effective oversight.
According to the report, 70 percent of competent authorities observed high or rising ML/TF risks linked to fintechs.
The EBA pointed to weak AML/CTF controls and poor governance, warning that some firms are prioritising growth and customer acquisition over compliance.
It identified outsourcing without oversight, cybercrime exposure and weak customer due diligence controls as major vulnerabilities.
According to the authority, regulators “are concerned that this rapid growth may not have been accompanied by robust AML/CFT controls, and that some FinTech providers may be prioritising customer acquisition over compliance.”
The EBA warned that many “firms lack the expertise and governance structures necessary to identify and tackle ML/TF risks effectively”.
“Competent authorities need to be mindful of this when putting together their supervisory plans to ensure compliance keeps pace with innovation in this sector,” the report says.
“This is particularly important, since the acquisition by traditional institutions of FinTech firms means that these risks may also spill over into other sectors.”
The risks of regtech
Notably, the EBA also delivered a blunt assessment of regtech adoption, revealing that more than half of serious compliance failures reported to its EuReCA database involved the improper use of regtech tools.
Despite the technology’s promise to reduce manual error and improve risk monitoring, implementation has often been sloppy or superficial.
“The widespread use by financial institutions of RegTech products by a small number of providers, and off-the-shelf solutions that are not fit for purpose, exacerbate vulnerabilities, particularly in credit and payment institutions,” the regulator said.
The EBA acknowledged the strong potential of using technology for AML/CTF compliance, but stressed the need for responsible implementation.
It warned that regulators should promote good regtech practices, such as streamlining workflows, building dynamic risk profiles and handling large data volumes, while ensuring proper oversight.
Crypto, AI and sanctions
The report says the crypto-asset sector remains a high-risk area, and notes that the number of authorised crypto-asset service providers (CASPs) more than doubled between 2022 and 2024.
It warns that many firms still attempt to bypass regulation, and some registered CASPs lack basic AML/CFT controls and show “integrity” concerns in governance and leadership.
Meanwhile, the use of artificial intelligence (AI) by criminals is accelerating laundering schemes, the banking watchdog said.
It warned that fraudsters are now automating illicit transactions, generating fake documents and evading checks using deepfakes.
The EBA said that many financial institutions are struggling to keep pace, and noted “the need for responsible AI deployment, supported by robust governance, staff training, and real-time monitoring capabilities. Institutions must remain vigilant and adaptive in this evolving threat landscape.”
Sanctions screening also remains a weak spot for firms, including those in the payments sector.
“Challenges arise in the screening of SEPA instant credit transfers, which may expose PSPs to a heightened risk of breaching restrictive measures that are not targeted financial sanctions – such as sectoral sanctions,” the report says.
“Furthermore, fragmented access to information in card payment infrastructure can lead to inadvertent breaches of restrictive measures.”
Better regulatory approach, but payments remains a risk
On a lighter note, the EBA was pleased that supervisory engagement had increased across all sectors, with many authorities conducting targeted inspections and issuing clearer AML/CTF guidance.
This has led to lower residual risks, especially in credit institutions and financial markets, the authority said.
However, it warned that controls in the payments and crypto sectors, particularly among new firms, remain weak, adding that growing supervisory focus is expected to drive improvements.
The EBA stressed that effective implementation of the new EU AML framework, which includes the upcoming Anti-Money Laundering Authority (AMLA), will be critical to addressing these vulnerabilities.
“While awareness of ML/TF risks is growing, the effectiveness of AML/CFT systems
remains uneven. The findings underscore the need for continued regulatory clarity, and a more consistent application of risk-based approaches across the EU financial sector.”
