EBA ¦ Opinion and Report on ML and TF risks affecting the EU’s financial sector
Opinion (EBA/Op/2025/10) and Report (EBA/REP/2025/22) of the European Banking Authority on money laundering and terrorist financing risks affecting the EU’s financial sector
Introduction and Legal Framework
The European Banking Authority (EBA) is empowered by Article 6(5) of Directive (EU) 2015/849 to deliver an Opinion every two years on the risks related to money laundering (ML) and terrorist financing (TF) within the EU’s financial sector. This fifth Opinion spans data collected from January 2022 to December 2024 and is intended for European co-legislators as well as AML/CFT competent authorities. The purpose of this Opinion is to guide competent authorities in applying a risk-based approach to AML/CFT supervision and to inform the European Commission’s supranational risk assessment frameworks.
Key Findings and General Overview
The financial sector within the EU is facing an increasingly dynamic and intricate landscape of ML/TF risks. Rapid technological advancements, including the rise of new financial products such as crypto assets and the growing interconnection of services across sectors, have introduced novel vulnerabilities. While innovation drives financial inclusion and consumer experience, it also often outpaces compliance mechanisms, leading to elevated risks. The FinTech sector exemplifies this trend, where rapid growth sometimes comes at the expense of robust AML/CFT controls. Additionally, the deployment of RegTech solutions, which hold promise for enhancing compliance efficiency, has been hampered by poor implementation and inadequate oversight. The crypto asset sector remains a critical area of concern due to a sharp increase in providers and transaction volumes, coupled with persistent weaknesses in AML/CFT systems and governance. Fraud and cybercrime continue to evolve with increasing sophistication, particularly through the use of artificial intelligence (AI), which criminals exploit to automate complex laundering schemes and evade detection. Compliance with restrictive measures, especially sanctions, is becoming more challenging owing to the growing volume and complexity of sanctions packages.
Despite these challenges, there are positive trends. Competent authorities report a decline in risks related to tax crimes and a reduction in unwarranted de-risking practices. Supervisory engagement has intensified across many sectors, resulting in improved residual risk profiles, particularly within credit institutions, investment funds, and life insurance sectors. Notably, risks associated with products and services have now surpassed those linked to customers, reflecting shifting dynamics in ML/TF risk drivers. Nevertheless, uneven effectiveness in AML/CFT systems across sectors underscores the continued need for regulatory clarity and consistent application of risk-based approaches throughout the EU financial sector.
Cross-Sectoral Money Laundering and Terrorist Financing Risks
The rapid expansion of FinTech firms has introduced significant ML/TF vulnerabilities. These firms prioritize technological innovation and rapid market growth but often lack sufficient AML/CFT expertise and governance frameworks. Competent authorities have observed that a majority of FinTech providers do not fully comprehend or manage the ML/TF risks inherent in their products and services. This gap is exacerbated by complex outsourcing arrangements and significant cross-border transactions which heighten exposure to cybercrime and fraud risk. Furthermore, traditional financial institutions acquiring FinTech firms may inadvertently inherit these vulnerabilities.
White labelling arrangements, where a financial firm offers products under its own brand but sourced from a licensed provider, pose additional challenges. These arrangements complicate oversight because the partner entity may not be subject to direct AML/CFT obligations, leaving providers ultimately responsible for compliance. Competent authorities report difficulties in monitoring such arrangements due to their contractual complexity and cross-border nature, which can obscure risk visibility.
Virtual International Bank Account Numbers (vIBANs) have been identified as a tool that obscures account holder identity and complicates transaction monitoring efforts for payment service providers and law enforcement agencies. Divergent interpretations of vIBAN definitions across Member States create regulatory inconsistencies and potential supervisory gaps. The new AML Regulation includes provisions to mitigate these risks by requiring registration of vIBANs in national central registers beginning in July 2027.
While RegTech offers valuable tools for streamlining compliance processes such as onboarding, transaction monitoring, and screening, its uncritical adoption has introduced significant risks. Financial institutions often lack the internal skills or governance structures to deploy RegTech solutions effectively. This has led to widespread compliance failures due to inadequate oversight of outsourced technology solutions, insufficient testing before implementation, and over-reliance on off-the-shelf products that may not fit specific institutional needs.
The crypto asset sector has experienced a 2.5-fold increase in authorized crypto asset service providers (CASPs) alongside a sharp rise in transaction volumes between 2022 and 2024. Despite regulatory progress through MiCA and related frameworks, many CASPs continue to operate with inadequate AML/CFT controls. Supervisory findings highlight weaknesses in customer risk assessments, governance deficiencies, and attempts by some entities to evade licensing requirements altogether. The increasing interconnection between CASPs and traditional financial institutions further amplifies ML/TF risks across multiple sectors.
Terrorist financing risks have remained relatively stable overall; however, there is concern over rising use of stablecoins – especially electronic money tokens (EMTs) – for TF purposes due to their price stability and ease of international transfer. Financial institutions frequently rely solely on sanctions screening without deploying more comprehensive TF detection methods, resulting in gaps in mitigating TF risks effectively.
Tax-related ML/TF risks appear to be declining in several Member States due to legislative reforms and enhanced supervisory efforts. Authorities have increased their focus on tax crimes through thematic reviews, information exchange with tax authorities, and incorporating tax-related risks into national risk assessments.
Risks linked to politically exposed persons (PEPs) persist with ongoing weaknesses in the application of enhanced due diligence measures. Corruption within financial institutions remains insufficiently addressed despite its critical role in facilitating money laundering activities. The introduction of new EU-wide criminal liability rules for corruption offenses further emphasizes the need for integrating anti-corruption measures into AML/CFT frameworks.
Compliance with restrictive measures such as sanctions has become more complex due to successive EU sanctions packages that cannot be fully managed using standard screening tools. Fragmentation within payment infrastructures, including challenges related to SEPA instant payments and card payment schemes, results in incomplete visibility over sanctioned individuals or entities. The EBA has issued new guidelines establishing common EU standards for compliance with restrictive measures that will take effect by the end of 2025.
Automation and AI technologies have accelerated the scale and sophistication of fraud schemes targeting financial institutions and consumers. Criminals exploit AI capabilities to create convincing fraudulent narratives, generate fake documents through deepfake technologies, and automate laundering processes that evade detection systems. Remote onboarding processes are particularly vulnerable to AI-enabled identity frauds. Credit institutions, investment firms, and investment fund managers are among the sectors most exposed to these threats.
The fragmented nature of payment infrastructure poses additional compliance challenges. ATM withdrawals involving cardholders who are not clients of the operating institution complicate risk detection due to limited customer identification data. Instant payments executed within seconds hinder real-time transaction monitoring efforts, reducing effectiveness against money laundering attempts.
Unwarranted de-risking practices — where financial services are denied without appropriate consideration of individual risk profiles — are reportedly decreasing following supervisory interventions guided by EBA recommendations. However, access to basic financial services remains an area requiring continued attention.
Environmental crimes represent a largely under-assessed area of ML/TF risk with most Member States yet to evaluate these risks comprehensively. Waste trafficking has emerged as a particular concern given its prevalence and ties to corruption within public decision-making processes related to hazardous waste management.
AML/CFT Trends by Sector
⇘ AML/CFT controls have shown improvement in several sectors since 2021. Credit institutions have experienced a decline in inherent ML/TF risks attributed largely to reduced product- or service-related vulnerabilities. Similarly, credit providers, investment firms, collective investment undertakings, fund managers, and life insurance intermediaries have reported more moderate risk profiles supported by enhanced supervisory frameworks.
⇗ Conversely, inherent risks have increased in sectors such as payment institutions, e-money institutions, life insurance undertakings, and crypto asset service providers. This increase correlates with emerging use cases involving electronic money tokens and crypto-related services that remain immature from a compliance perspective.
⇘ Residual risk levels — reflecting remaining risk after controls — have improved notably across credit institutions, investment funds, life insurers, credit providers, bureaux de change, and life insurance intermediaries due to enhanced AML/CFT systems. However, residual risks remain high or have increased in payment institutions, e-money institutions, crypto asset service providers, life insurance undertakings, indicating persistent control weaknesses particularly among new or rapidly growing entities.
⇒ Breaches across all sectors predominantly involve failures in customer due diligence procedures including identification, verification, ongoing monitoring, and risk rating inaccuracies. Credit institutions frequently demonstrate lapses in applying CDD effectively despite having policies in place. Payment institutions, e-money institutions, bureaux de change, collective investment undertakings, fund managers, credit providers, life insurers, investment firms, and crypto asset service providers all report various deficiencies related to internal policies and procedures or human resource shortages impacting AML/CFT effectiveness.
⇒ Supervisory engagement has intensified substantially between 2022 and 2024 with a significant increase in off-site reviews reflecting a trend toward remote supervisory methodologies augmented by data analytics tools. On-site inspections have remained relatively stable but continue playing a crucial role for high-risk sectors or entities exhibiting notable vulnerabilities.
Supervisory Measures Taken Post-2023 Opinion
Following the 2023 Opinion’s recommendations, competent authorities across Member States have taken varied measures tailored to sector-specific risks. In credit institutions, supervisory actions included rigorous testing of transaction monitoring systems through sample reviews and scenario analysis complemented by interviews with compliance staff and virtual system walkthroughs.
Payment institutions received targeted guidance focusing on agent networks’ oversight given their critical role in service delivery models involving money remittance corridors and online onboarding processes vulnerable to fraud risks. Several authorities organized sector-wide training sessions combined with thematic inspections centered on transaction monitoring effectiveness and compliance with sanctions obligations.
E-money institutions underwent enhanced supervisory scrutiny prompted by rapid sector growth involving novel FinTech business models; this included updating risk assessment methodologies incorporating cross-border activities analysis alongside thematic reviews addressing remote onboarding practices.
Crypto asset service providers’ supervisors focused heavily on capacity building through extensive training programs covering blockchain analytics tools and legal frameworks under MiCA and related regulations. Supervisory efforts prioritized fitness-and-propriety assessments during licensing processes while incorporating new risk factors such as self-hosted wallets into questionnaires.
Credit providers saw focused supervisory attention on sub-sectoral risks such as international leasing or factoring activities through off-site analysis supplemented by licensing reviews aimed at remediating identified shortcomings.
Bureaux de change supervisors expanded their scope beyond currency exchange activities by evaluating associated precious metals trading risks through full-scope onsite inspections leading to legislative updates enhancing regulatory frameworks governing these entities.
Life insurance undertakings faced inspections emphasizing customer identification processes including PEP screening combined with remedial plans for entities exhibiting systemic control failures.
Supervision of investment firms involved thematic reviews related to AML governance while delivering individualized feedback designed to enhance sector-wide compliance culture supported by conferences sharing NRA findings.
Collective investment undertakings benefited from updated supervisory tools incorporating beneficial ownership checks with intensified oversight on cross-border fund management structures aimed at mitigating emerging ML/TF risks.
Fund managers were subject to off-site reviews targeting internal control frameworks complemented by on-site inspections assessing transaction monitoring efficacy alongside training initiatives fostering awareness about sector-specific vulnerabilities such as residency-by-investment schemes.
Conclusion
The EBA’s fifth Opinion highlights a complex ML/TF threat environment shaped by technological innovation outpacing compliance capabilities across various financial sectors within the EU. While improvements are evident particularly within traditional banking segments supported by enhanced supervision and regulatory reforms, emerging sectors such as FinTech innovations, crypto assets, and AI-driven fraud present heightened challenges requiring sustained regulatory attention.
To address these evolving risks effectively requires clear regulatory frameworks coupled with consistent application of risk-based supervision across Member States. Enhanced cooperation between AML/CFT supervisors, prudential regulators, law enforcement agencies, and other stakeholders is critical to closing gaps exposed by rapid innovation cycles. Equally essential is building expertise within supervised entities ensuring technological solutions like RegTech are responsibly implemented while leveraging advanced analytics for fraud detection.
Ultimately, balancing innovation with robust safeguards remains pivotal for safeguarding the integrity of the EU’s financial system against money laundering and terrorist financing threats going forward.
Dive deeper
- EBA ¦ EBA/Op/2025/10 Opinion and EBA/REP/2025/22 Report on ML and TF risks affecting the EU’s financial sector ¦ Link