EBA Money Laundering Risks Report 2025: Key Findings for EU Financial Services

Introduction: The EBA’s Fifth ML/TF Risk Assessment

The European Banking Authority (EBA) published its fifth Opinion on money laundering (ML) and terrorist financing (TF) risks in July 2025, providing one of the most comprehensive assessments of the EU financial sector’s vulnerability landscape to date. Based on data spanning January 2022 to December 2024, the report draws from responses of 52 AML/CFT competent authorities, submissions to the EBA’s EuReCA database, and findings from the authority’s ongoing monitoring of the financial sector’s fight against financial crime.

This biennial assessment arrives at a pivotal moment for European financial regulation. The EU’s new AML/CFT framework is taking shape, the Anti-Money Laundering Authority (AMLA) is being established, and the financial sector faces a dynamic and increasingly complex risk landscape driven by technological innovation, geopolitical tensions, and evolving criminal methodologies.

The report paints a nuanced picture: while some risk areas are showing improvement thanks to concerted regulatory action, new threats are emerging faster than institutions can develop countermeasures. For financial professionals, compliance officers, and risk managers, understanding these findings is essential for calibrating their approach to AML/CFT compliance in the coming years. This article provides a deep dive into the EBA’s key findings and their practical implications for institutions navigating the DORA regulatory landscape.

FinTech Growth and AML Money Laundering Compliance Challenges

Perhaps the most striking finding in the EBA’s 2025 report is the scale of money laundering risk emerging from the FinTech sector. A full 70% of EU competent authorities report high or increasing ML/TF risks associated with FinTech firms — a significant jump that reflects the sector’s rapid expansion without proportional investment in compliance infrastructure.

The EBA identifies a troubling pattern: many FinTech companies appear to prioritize customer acquisition and market growth over robust AML/CFT controls. This is not merely a theoretical concern. Competent authorities have documented specific vulnerabilities including exposure to cybercrimes, outsourcing of critical functions without effective oversight, and inadequate customer due diligence (CDD) controls that leave significant gaps in risk management.

The expertise gap compounds these risks significantly. Many FinTech firms lack the governance structures and specialized knowledge necessary to identify and tackle ML/TF risks effectively. Unlike traditional financial institutions that have decades of experience with regulatory compliance, many newer FinTech entrants are building their AML programs from scratch — often with limited resources and competing priorities.

A particularly concerning dimension is the acquisition trend. As traditional financial institutions acquire FinTech firms, the compliance weaknesses of these acquired entities can spill over into established organizations. This creates a risk multiplier effect that competent authorities must carefully monitor and that acquirers must address during due diligence processes.

White Labelling and Third-Party Oversight Gaps

The EBA’s report also highlights white labelling as a significant vector for ML/TF risk. When FinTech firms provide white-label solutions to other businesses, the chain of responsibility for AML compliance becomes blurred. The original provider may have limited visibility into how their technology is being used, while the white-label client may assume that compliance is handled upstream. This creates dangerous gaps in oversight that sophisticated criminals can exploit.

RegTech: Promise vs. Implementation Reality

Regulatory technology (RegTech) solutions offer significant potential for improving AML/CFT compliance through automation, real-time monitoring, and sophisticated data analysis. However, the EBA’s findings paint a sobering picture of RegTech implementation across the EU financial sector.

More than half of all submissions to the EBA’s EuReCA database suggest that serious compliance failures were due, at least in part, to the improper use of AML/CFT RegTech. This statistic underscores a critical reality: technology alone does not solve compliance challenges. Without adequate in-house expertise, proper governance structures, and sufficient oversight, RegTech tools can create a false sense of security that actually increases vulnerability.

The concentration risk in RegTech is another major concern. A small number of providers dominate the market, and many financial institutions rely on off-the-shelf solutions that are not tailored to their specific risk profiles. When these solutions fail or produce inaccurate results, the impact can cascade across multiple institutions simultaneously — particularly in the credit and payment institution sectors where adoption is highest.

Despite these challenges, the EBA recognizes RegTech’s transformative potential when implemented correctly. The authority encourages competent authorities to identify and promote good practices in RegTech use, including streamlining workflows, creating dynamic risk profiles, and enabling institutions to manage large data volumes efficiently. The key is ensuring that these tools are used responsibly within established governance frameworks, with human oversight remaining a critical component of the compliance chain.

Crypto Asset Money Laundering Risks and Regulatory Transition

The abuse of crypto asset services for financial crime purposes remains one of the EBA’s top concerns. The report documents a surge in transaction volumes and a remarkable 2.5-fold increase in the number of authorized Crypto Asset Service Providers (CASPs) in the EU between 2022 and 2024. While this growth reflects the sector’s legitimization under the Markets in Crypto-Assets (MiCA) regulation, it has also created new compliance challenges.

Competent authorities have identified several critical weaknesses among CASPs. Many newly authorized entities lack effective AML/CFT systems and controls, creating significant blind spots in transaction monitoring. In some cases, authorities found entities attempting to bypass licensing and registration processes entirely, thereby evading AML/CFT supervision altogether. Concerns were also raised about the integrity of senior management and the transparency of governance arrangements at multiple CASPs.

The use of stablecoins for terrorist financing purposes represents an emerging threat that the EBA highlights with particular urgency. While crypto assets have long been associated with money laundering, the report notes that stablecoins — with their price stability and ease of cross-border transfer — are increasingly attractive for financing terrorism. This trend demands enhanced monitoring capabilities and cross-border cooperation between supervisory authorities.

The MiCA Transition Challenge

The EBA acknowledges that the gap between regulatory expectations and actual practice in the crypto sector reflects the challenges of transitioning to the new EU regulatory framework. While MiCA provides a comprehensive foundation for crypto regulation, its effective implementation requires CASPs to significantly upgrade their compliance capabilities. The EBA emphasizes that enhanced supervisory coordination and enforcement are essential during this critical transition period to close the vulnerability gap.

AI-Driven Fraud and Money Laundering Cybercrime Escalation

The expansion of cybercrime and fraud, fueled by technological sophistication, continues to outpace the financial sector’s defensive capabilities. The EBA’s 2025 report identifies artificial intelligence as both a powerful compliance tool and a dangerous weapon in the hands of criminals.

On the offensive side, criminals are deploying AI to automate complex financial schemes, conceal the origins of illicit funds, and make high-risk transactions increasingly difficult to detect. The use of AI-generated fake documents represents a quantum leap in fraud capability — synthetic identities, fabricated financial statements, and forged corporate documentation can now be produced at scale with unprecedented quality.

Deep-fake technology poses an especially acute threat to customer due diligence processes. Video verification, voice authentication, and document checks — long considered robust controls — are increasingly vulnerable to AI-powered spoofing. Financial institutions that relied on these measures as primary verification methods must now re-evaluate their entire CDD framework.

The volume and velocity of AI-driven attacks are increasing simultaneously, creating a compounding challenge for compliance teams. Traditional rule-based monitoring systems struggle to identify patterns in AI-generated fraud because these schemes are designed to mimic legitimate behavior with high fidelity. The EBA emphasizes the need for financial institutions to deploy advanced AI defenses to counter AI-powered threats — an arms race that requires significant investment in technology, talent, and governance.

Addressing these threats effectively demands responsible AI deployment within robust governance frameworks, supported by comprehensive staff training and real-time monitoring capabilities. Institutions must remain vigilant and adaptive, continuously updating their defensive capabilities to match the evolving threat landscape.

Sanctions Compliance in an Era of Complexity

The number and complexity of EU sanctions packages continue to pose significant challenges for financial institutions. The EBA’s report highlights that standard sanctions screening tools are often insufficient to handle the nuanced requirements of successive restrictive measures packages, creating compliance risks even among institutions with well-established programs.

Competent authorities have intensified their supervisory actions, focusing particularly on the quality of screening systems and the effectiveness of measures to implement restrictive sanctions. Despite this increased oversight, many institutions still lack adequate policies and procedures — a finding that underscores the gap between the pace of sanctions evolution and institutional adaptation.

The introduction of SEPA instant credit transfers creates additional exposure for payment service providers. The real-time nature of these transactions leaves minimal time for sanctions screening, potentially exposing PSPs to heightened risk of breaching restrictive measures — including sectoral sanctions that go beyond targeted financial sanctions. Furthermore, fragmented access to information in card payment infrastructure can lead to inadvertent breaches of restrictive measures.

Looking forward, the EBA expects improvement as two sets of guidelines establishing the first common EU standards for financial institutions to comply with Union and national restrictive measures take effect by the end of 2025. Under the new AML/CFT framework, AMLA and national AML/CFT supervisors will monitor whether obliged entities have appropriate policies and procedures in place for implementing targeted financial sanctions.

Cross-Sectoral ML/TF Risk Trends and Supervisory Response

The EBA’s 2025 report reveals a significant shift in the ML/TF risk landscape: for the first time since the authority began issuing these opinions, risks associated with products and services are overtaking risks related to firms’ customers. This transformation reflects the growing complexity of financial products and the increasing interconnection of services across sectors.

Despite this shift, customer-related risks remain substantial. The report notes that 61% of breaches across all sectors are still caused by customer due diligence shortcomings — a persistent vulnerability that years of regulatory guidance and supervisory action have not fully addressed.

Supervisory engagement has increased significantly across all financial sectors. Competent authorities report a notable uptick in targeted and thematic inspections, with the majority of AML/CFT supervisors providing specific guidance to ensure expectations regarding effective AML/CFT systems and controls are properly applied. This heightened oversight appears to be yielding results in several sectors.

Sector-by-Sector Risk Assessment

Residual risk levels have been improving particularly in credit institutions, credit providers, and the three financial market sectors. The combination of regulatory guidance, supervisory pressure, and industry investment in compliance capabilities is gradually raising the overall standard of AML/CFT controls in these established sectors.

However, the payment institutions and crypto sectors tell a different story. The poor quality of controls — particularly among newly authorized entities — means that existing safeguards remain insufficient to mitigate high inherent risk levels. While supervisory engagement in these sectors has also increased, the EBA acknowledges that tangible improvements will take time to materialize.

Customer Due Diligence: The Persistent Weak Link in AML Compliance

Customer due diligence remains the Achilles’ heel of AML/CFT compliance across the EU financial sector. With 61% of all breaches traced back to CDD shortcomings, the EBA’s report underscores that this foundational element of compliance requires sustained attention and investment from financial institutions at every level.

The nature of CDD failures varies across sectors, but common themes emerge. Many institutions struggle with the ongoing monitoring component of CDD — while initial onboarding checks may be adequate, the continuous assessment of customer risk profiles often falls short. Changes in customer behavior, transaction patterns, or beneficial ownership structures may go undetected for extended periods.

The EBA also addresses ongoing concerns about politically exposed persons (PEPs). Material weaknesses in PEP identification and monitoring continue to plague the sector, while corruption within financial institutions themselves remains insufficiently addressed. These findings suggest that institutions need to move beyond tick-box compliance toward more sophisticated, risk-based approaches to PEP management.

Virtual IBANs represent another area of CDD concern highlighted by the EBA. The use of virtual IBANs can obscure the true identity of account holders and complicate the application of CDD measures, creating opportunities for money launderers to exploit gaps between the issuing institution’s and the servicing institution’s responsibilities. Financial institutions must develop specific protocols to address the unique risks posed by these instruments.

Environmental Crime and Emerging ML/TF Vectors

While traditional ML/TF risks continue to dominate, the EBA’s report draws attention to an increasingly important but often overlooked threat: the laundering of proceeds from environmental crimes. Although these risks are rarely identified by competent authorities, some jurisdictions are taking proactive action due to the prevalence of waste trafficking and other environmental offenses.

Environmental crime represents a significant revenue source for organized criminal groups across Europe, yet the financial sector’s ability to detect related money laundering remains limited. Transaction monitoring systems are rarely configured to identify patterns associated with environmental offenses, and compliance staff may lack the training needed to recognize red flags associated with this crime type.

The EBA encourages competent authorities and financial institutions to develop enhanced capabilities for detecting environmental crime proceeds. This includes updating typologies, training compliance staff, and configuring monitoring systems to identify suspicious patterns associated with waste trafficking, illegal logging, wildlife trafficking, and other environmental offenses. As the EU strengthens its environmental regulatory framework, the intersection between environmental crime and financial crime will become increasingly important for AML compliance programs.

Implications for Financial Institutions and the Path Forward

The EBA’s fifth Opinion on ML/TF risks carries clear implications for financial institutions operating in the EU. The message is unequivocal: while progress is being made in certain areas, the overall ML/TF risk landscape is becoming more complex, more technologically driven, and more interconnected than ever before.

For compliance leaders, the report highlights several priority areas for immediate attention. First, FinTech integration risk must be addressed proactively — whether through better pre-acquisition due diligence, post-merger compliance integration, or enhanced oversight of FinTech partnerships. Second, RegTech governance needs significant strengthening, moving beyond vendor selection to comprehensive implementation oversight, staff training, and outcome validation.

Third, the crypto sector requires dedicated compliance resources and expertise. As the MiCA framework matures, institutions engaging with crypto assets must invest in specialized AML capabilities that address the unique characteristics of this asset class. Fourth, AI must be deployed both defensively and adaptively — institutions need AI-powered compliance tools that can evolve as rapidly as the threats they’re designed to counter.

The establishment of AMLA and the new EU AML/CFT framework represent a watershed moment for the European financial sector. These institutional changes promise more consistent supervisory standards and better cross-border cooperation. However, they also raise the bar for compliance expectations, requiring institutions to demonstrate not just formal compliance but effective risk management that produces measurable outcomes.

Financial institutions that treat the EBA’s findings as a roadmap for compliance investment will be better positioned to navigate the evolving regulatory landscape. Those that continue to treat AML/CFT as a cost center rather than a strategic imperative risk falling behind — not just in regulatory compliance, but in managing the genuine financial stability risks that money laundering and terrorist financing pose to the broader financial system.