Regulatory Round-up

EBA AML Opinion

The EBA’s 2025 ML/TF Opinion flags a shifting landscape amid geopolitics, reforms and digitalisation. Consistent use of the new EU framework is vital as supervision strengthens. The Opinion notes the key risks: FinTechs and CASPs prioritising growth at the expense of ML/TF compliance, increased compliance failures based on RegTech lack of oversight, challenges addressing the increase in AI-powered fraud, and the complex EU sanctions regime.

By Stephen Carty, Lorna Smith, Philip Keegan,
Published 09 Oct 2025

The EBA’s 2025 ML/TF Opinion doubles down on urgency: innovation is outpacing controls, and product/service risks now eclipse customer risks. Supervisors are already more intrusive—off‑site reviews rose 41% between 2022–2024, with targeted inspections across high‑risk sectors. Yet 61% of breaches still stem from CDD failures.

FinTechs, EMIs and PIs are firmly in scope. Seventy percent of EU authorities report high or rising ML/TF risk in FinTech; 86% cite cross‑border exposure, 55% outsourcing weaknesses, 64% cyber-enabled fraud, and 52% inadequate transaction monitoring. White-labelling is a pressure point: 90% of supervisors who assess it rate risk medium–high, with supervisory blind spots where partners aren’t obliged entities. vIBAN risk is rising—cascading/reissuing obscures end users and cross‑border booking creates oversight gaps. AMLR now defines vIBANs and requires registration in national account registers (applying from 10 July 2027).

Crypto remains high risk. CASP numbers multiplied 2.5x to 2,525 by end‑2024; some sought to bypass licensing, avoiding AML/CFT supervision. Authorities report weak governance, fitness and propriety, and poor CDD; 53% flag poor understanding of customer risk, 43% inadequate identity verification. Spillovers into EMIs/PIs (crypto–fiat conversion, group outsourcing) are material. TF typologies increasingly feature stablecoins/EMTs; by end‑2024 there were 13 EMT issuers in the EU.

RegTech can help—but poor implementation drives failures. Over half of EuReCA submissions implicate RegTech misuse; 277 material weaknesses linked to onboarding/monitoring/screening tools, with concentration risk from off‑the‑shelf solutions. AI is a two‑edged sword: banks are mostly testing, while criminals use deepfakes and automation to evade controls. Prepare for AI-enabled fraud with robust onboarding, document forensics and real‑time monitoring.

Sanctions controls must mature. The EBA’s two restrictive‑measures Guidelines apply from 30 December 2025. Instant payments (10‑second execution) constrain ex‑ante checks; card‑scheme data gaps and “aggregator” cards obscure counterparties. Expect supervisors to probe screening quality, governance, record‑keeping and alert handling.

Investment firms and funds show improving residual risk, but fraud is surging and crypto‑linked scams target investors. Tighten source‑of‑funds/wealth, PEP/EDD, outsourced AML oversight, and STR decisioning.

Your 90‑day plan:

Refresh your business‑wide risk assessment (separately assess TF).
Map crypto touchpoints, white‑label/agent networks, and vIBAN issuance; ready vIBAN register processes.
Re‑tune monitoring for instant payments, crypto‑fiat flows, TF/stablecoin patterns and fraud typologies.
Run a sanctions gap analysis against the 2025 Guidelines; address card/instant‑payment data gaps.
Validate RegTech models for explainability, testing and oversight; address concentration risk.
Confirm MiCA/FTR travel‑rule readiness; manage self‑hosted wallets and governance/fitness gaps.
Upskill boards and AML teams on AI‑enabled fraud/deepfakes and TF controls beyond sanctions screening.

This is what “compliance keeps pace with innovation” looks like.

The Regulatory 15/15 Podcast

Regulatory Calendars

AML/CFT/CPF & Sanctions Training

AEOI and Economic Substance

Legal Guides

Assistance with Regulatory Inspections

Regulatory & Compliance Solutions