Money Laundering Risks in EU Finance: Complete EBA 2025 Report Analysis

Understanding the EBA’s 2025 Money Laundering Risk Landscape

The European Banking Authority’s fifth Opinion on money laundering and terrorist financing risks, published in July 2025, paints a complex picture of an EU financial sector grappling with rapid technological innovation, evolving criminal behaviors, and an increasingly interconnected service landscape. Based on data spanning January 2022 through December 2024, the report draws on responses from 52 AML/CFT competent authorities across 29 Member States, making it the most comprehensive assessment of money laundering risks in European finance to date.

The findings reveal a financial sector at a crossroads. While innovation in FinTech, RegTech, and artificial intelligence holds tremendous promise for more effective compliance and crime prevention, the EBA’s evidence suggests that the industry’s drive for growth may be outpacing its ability to manage ML/TF risks. Credit institutions, payment institutions, and e-money sectors are particularly exposed to these emerging vulnerabilities, creating a pressing need for regulatory clarity and consistent risk-based approaches.

Perhaps most striking is the shift in the nature of risk itself. For the first time since the EBA began issuing these opinions, risks associated with financial products and services have overtaken those related to firms’ customers. This represents a fundamental evolution in the money laundering threat landscape — the tools and channels through which financial crime occurs are now more concerning than the actors themselves. Yet customer due diligence failures remain stubbornly prevalent, accounting for 61% of breaches across all sectors.

This comprehensive analysis breaks down the EBA’s key findings, from FinTech compliance gaps and crypto asset vulnerabilities to AI-driven fraud and the evolving sanctions landscape. Whether you’re a compliance officer, financial institution executive, or regulatory professional, understanding these risks is essential for navigating the DORA regulation era and beyond.

FinTech Money Laundering Risks: Growth vs Compliance

The tension between innovation and compliance in the FinTech sector has become one of the most significant money laundering risks identified by the EBA. According to the report, 69% of competent authorities consider that ML/TF risk associated with FinTech has remained high or increased, with technology-focused firms appearing to prioritize rapid customer acquisition over robust AML/CFT controls.

The numbers tell a concerning story. Sixty-four percent of competent authorities — up from 39% in 2023 — highlight exposure to cybercrime as an important vulnerability in the FinTech space. Meanwhile, 55% of authorities point to complex internal arrangements and widespread reliance on outsourced service provision as a significant ML/TF risk, and a remarkable 86% consider cross-border transaction risk as significant or very significant.

On the controls side, the picture is equally troubling. Nearly half of all competent authorities assess FinTech firms’ AML/CFT controls as inadequate, with specific concerns about transaction monitoring (52%), customer due diligence measures (48%, up from 34% in 2023), and an overall lack of understanding by institutions of ML/TF risks associated with their products and services (52%, up from 35% in 2023). The upward trajectory of these figures suggests the compliance gap is widening, not narrowing.

White Labelling and Virtual IBANs

Two emerging risk vectors deserve particular attention. White labelling — where a firm offers another institution’s financial products under its own brand — creates complex contractual arrangements that can obscure AML/CFT responsibilities. Ninety percent of competent authorities that assess white labelling risks rate them as medium or high, yet nearly half of all authorities have not assessed this risk at all.

Virtual IBANs present another growing challenge. These can obscure the true identity of account holders and create difficulties for payment service providers in monitoring business relationships. The risk of cascading vIBANs — where one PSP provides vIBANs generated by another institution — is considered very significant by authorities in both the payment institution and credit institution sectors. The new AML Regulation, applying from July 2027, will require vIBANs to be registered in national central registers of bank accounts, a critical mitigation measure.

Crypto Asset Money Laundering Risks and the CASP Explosion

Between 2022 and 2024, the number of licensed or registered crypto asset service providers in the EU multiplied by 2.5, reaching 2,525 by the end of 2024. Transaction volumes and average values have surged in parallel, creating an expanding attack surface for financial crime. This explosive growth has led 17% of competent authorities to conclude that crypto-related ML/TF risk has increased.

The EBA’s findings on CASP compliance are particularly stark. The most significant risk remains the lack of understanding of ML/TF risks associated with individual business relationships, with 53% of authorities assessing this as very significant or significant. More than half of authorities identify high risks linked to customer location or business activity, while 43% point to significant risks from failures in customer identity verification.

An exercise conducted by the EBA in 2024 revealed that some entities have attempted to bypass licensing and registration processes entirely, thereby evading AML/CFT supervision. Furthermore, in several cases, the integrity of CASPs’ senior management and the transparency of governance arrangements were not assured, suggesting that the sector’s risk management remains fundamentally inadequate in many instances.

The spill-over of crypto risks into traditional finance is a growing concern. Thirty-five percent of authorities observed an increasing crossover between CASPs and e-money institutions for crypto-to-fiat conversion services, often through group structure arrangements with unclear governance and operational boundaries. This interconnection means that weaknesses in crypto compliance can propagate throughout the financial system, a concern highlighted in related analyses of the state of DeFi and blockchain technology.

RegTech Failures: When Technology Creates New Money Laundering Risks

RegTech solutions — technology-enabled tools for regulatory compliance — should be a powerful weapon against money laundering. They can streamline workflows, create dynamic risk profiles, and enable institutions to manage large data volumes efficiently. Yet the EBA’s findings reveal a troubling paradox: the careless deployment of these very tools is itself creating new vulnerabilities.

Half of all competent authorities surveyed identified ML/TF risks associated with RegTech use by obliged entities, and 15% consider that risk has increased. Data from the EBA’s EuReCA database is particularly damning: over 2023 and 2024, more than half of the financial institutions for whom material weakness reports were submitted had deficiencies linked to RegTech technologies, systems, and tools — totaling 277 material weaknesses.

The three most significant RegTech-related risks identified by authorities are outsourcing (55% of authorities rate this as significant or very significant), automation without effective monitoring (46%), and lack of in-house skills (36%). Concentration risk is also a concern for 32% of authorities, as heavy reliance on a small number of RegTech solutions across many supervised entities creates systemic vulnerabilities — especially when those solutions are not customized to each entity’s specific needs.

One-third of authorities point to institutions implementing RegTech solutions without adequate testing, failing to ensure transparency and explainability of their systems, and being unable to demonstrate their effectiveness. This “unthinking use” of RegTech — deploying tools without understanding their limitations or ensuring proper calibration — is transforming what should be a compliance asset into a compliance liability.

AI-Driven Fraud and Cybercrime: The Fastest-Growing Money Laundering Risk

The scale, diversity, and sophistication of fraudulent activities have reached unprecedented levels, driven by advances in automation and artificial intelligence. The EBA’s Consumer Trends Report identifies payment fraud as the most significant issue for EU consumers, while the June 2025 EBA Risk Assessment Report shows that fraud risk awareness has grown from 33% to 52% agreement among banks in just two years, making it the second most relevant operational risk.

Criminals are using AI to automate financial schemes, conceal fund sources, and make high-risk transactions harder to detect. Deepfake technologies are being deployed to evade CDD measures and identity controls during remote onboarding. In one case study highlighted by the EBA, criminal networks exploited generative AI to bypass standard identity verification at multiple financial institutions, using impersonation, false identities, and purchased companies to launder the proceeds of scams.

The financial impact is staggering. A joint EBA/ECB report revealed EUR 4.3 billion in payment fraud in 2022 alone, with another EUR 2.0 billion in the first half of 2023. While the introduction of strong customer authentication has helped reduce some fraud types, criminals have adapted by creating new attack vectors that exploit AI-generated, highly realistic narratives incorporating trending societal topics.

Credit institutions, investment firms, and fund managers are particularly vulnerable. Thirty-six percent of authorities supervising credit institutions consider fraud risk significant or very significant, with one Member State reporting a 35% increase in suspicious transaction reports related to fraud since 2021. In the investment sector, “rug pull scams” with fake crypto tokens and sophisticated Ponzi schemes are proliferating. The implications for how institutions approach cybersecurity frameworks are profound.

Sanctions Compliance Challenges in EU Financial Services

A quarter of competent authorities report that the risk of non-compliance with restrictive measures has increased since 2023, driven primarily by the number and complexity of EU sanctions packages. Sectoral restrictive measures, in particular, cannot be implemented through standard sanctions screening tools, creating operational challenges for financial institutions of all sizes.

The EBA found persistent weaknesses in several areas: failure to establish robust internal processes and governance arrangements, inadequate exposure assessments, and deficiencies in screening system record-keeping. Some institutions could not demonstrate that they had checked sanctions lists before onboarding new customers, while divergences in the frequency of list updates and screenings created additional gaps. Member States bordering Russia noted risks of large cash transactions via currency exchanges connected to sanctions evasion.

Specific challenges arise in two critical areas. SEPA instant credit transfers, which must complete within 10 seconds, create a tension between speed and compliance — the time constraint may impede checks needed to stop unusual transactions between initiation and execution. Additionally, the fragmented infrastructure of card payment schemes means that acquirers typically have access only to card numbers and payment amounts, without the ability to identify customers by name, creating potential sanctions blind spots.

Between 2022 and 2024, 20 competent authorities submitted 109 material weaknesses related to sanctions compliance to EuReCA. In response, the EBA published two landmark sets of guidelines in November 2024, establishing the first common EU standards for sanctions compliance in financial institutions. These guidelines, applicable from December 2025, specify governance arrangements, policies, procedures, and controls that institutions must maintain, along with specific requirements for PSPs and CASPs when performing fund transfers.

Terrorist Financing Risks and the Rise of Stablecoin Misuse

While the overall level of terrorist financing risk remains stable according to most competent authorities, the EBA report identifies concerning new trends. Investigations by law enforcement authorities across Member States confirm that cryptocurrencies continue to be used for terrorism financing, but with an important shift: Europol has observed a move away from Bitcoin toward stablecoins, which offer price stability and usability for international transfers.

One-third of all competent authorities expressed concern that TF risks are insufficiently managed across all sectors. Institutions often over-rely on sanctions list screening as their only TF monitoring tool, neglecting the broader detection capabilities needed to identify terrorist financing patterns. Between 2022 and 2024, 62 material weaknesses related to TF risk were submitted to EuReCA — nearly half involved insufficiently robust TF risk assessment methodologies, 38% involved absent or failed transaction monitoring scenarios, and 35% were linked to deficient sanctions screening tools.

The emergence of e-money tokens (EMTs) as vehicles for financial crime is a notable development. By end of 2024, there were 13 EMT issuers in the EU. Authorities are concerned about illicit funds being converted into EMTs to obfuscate their source, particularly through peer-to-peer platforms where KYC requirements are not consistently enforced. Once acquired, EMTs can be redeemed for fiat currency, making the financial trail extremely difficult to trace.

Sector-by-Sector AML/CFT Risk Analysis

The EBA’s granular sector-by-sector analysis reveals a mixed picture of progress and persistent challenges across the EU financial landscape. Understanding where risks are concentrating — and where controls are improving — is essential for targeted compliance investment.

Improving Sectors

Residual risk levels have decreased markedly in credit institutions, where 66% of authorities still consider inherent risk significant or very significant (down from 73% in 2021), but improved controls are reducing actual exposure. Investment funds, life insurance intermediaries, and collective investment undertakings have also seen meaningful risk reductions, driven by better supervision and more effective AML/CFT systems.

Deteriorating Sectors

Payment institutions, e-money institutions, and CASPs tell a different story. Almost 70% of authorities assess payment institutions’ inherent risk as significant, up from 59% in 2021. E-money institutions face increasing risk as the sector grows (a 70% increase in supervised EMIs between 2021 and 2024) and new products like EMTs emerge. In three sectors — payment institutions, bureaux de change, and CASPs — residual risk actually exceeds inherent risk, indicating that AML/CFT controls are fundamentally inadequate to address the threats.

Breach Patterns

The EBA reports a consistent increase in minor AML breaches, which more than doubled from 2020 to 2024. This may partly reflect the 40% increase in off-site supervisory reviews, but it also signals ongoing systemic weaknesses. CDD remains the most common failure point across all sectors, though the specific nature varies: credit institutions tend to have policies in place but fail to apply them effectively, while e-money institutions and bureaux de change struggle with basic customer identification.

Positive Developments: De-Risking Decline and Tax Crime Improvements

The EBA’s 2025 report is not exclusively a chronicle of rising risks. Several areas show genuine improvement, reflecting the impact of concerted regulatory, supervisory, and institutional action over recent years.

De-risking — the practice of financial institutions refusing to serve certain customers or categories — has been a persistent concern, particularly for non-profit organizations, correspondent banks, and vulnerable populations. The 2025 report shows significant progress: 40% of competent authorities indicate that unwarranted de-risking has decreased, and another 40% suggest it is no longer an issue in their Member State. Only 10 material weaknesses linked to de-risking were submitted to EuReCA between 2022 and 2024, and 80% of authorities took action following the publication of EBA guidelines on this topic.

Risks related to tax-related crimes also appear to be decreasing. No competent authorities reported an increase in tax crime risks, and the proportion of authorities that do not consider it a risk in their jurisdiction rose from 20% to 37%. Most Member States have taken concrete steps, including updated national risk assessments (43% of Member States), information exchanges with tax authorities (29% of CAs), and thematic supervisory reviews (15% of CAs). These improvements in financial crime monitoring are consistent with broader trends seen in the ECB’s Annual Report 2024.

Supervisory activity itself has intensified significantly. Off-site reviews increased by 41% from 2022 to 2024, with particularly notable growth in reviews of CASPs (+431% between 2022 and 2023) and bureaux de change (+41%). This increase in supervisory intensity, combined with more risk-based and targeted approaches, is contributing to the improvement in residual risk levels observed across several sectors.

The New EU AML/CFT Framework: What Changes for Financial Institutions

The EBA’s 2025 report lands at a pivotal moment for European financial regulation. The AML Regulation (EU) 2024/1624 introduces comprehensive new requirements that will reshape how financial institutions approach anti-money laundering compliance.

Key regulatory changes include the requirement that virtual IBANs be registered in national central registers (applicable from July 2027), new common standards for sanctions compliance (applicable from December 2025), specific AML/CFT frameworks for CASPs under MiCA, and the establishment of the Anti-Money Laundering Authority (AMLA) with direct supervisory powers over the highest-risk cross-border entities.

For financial institutions, the implications are clear. Compliance programs must evolve beyond checkbox exercises to become genuinely risk-based and technology-enabled. RegTech solutions need proper calibration, testing, and oversight — the era of “deploy and forget” must end. Crypto-related activities require dedicated risk management capabilities, even for traditional institutions whose customers use crypto services. And AI-driven threats demand equally sophisticated defensive technologies, supported by skilled staff and robust governance.

The EBA’s recommendations underscore the importance of competent authorities taking a more intrusive supervisory approach, particularly toward newly authorized entities in high-risk sectors. With the EU AI Act adding another regulatory layer, financial institutions face an increasingly complex compliance landscape that demands both technological sophistication and deep regulatory expertise.

The report also signals that AMLA and national AML/CFT supervisors will monitor compliance with targeted financial sanctions as part of their broader supervisory remit, creating a more unified and consistent enforcement framework across the EU. This shift represents perhaps the most significant structural change in European AML/CFT governance since the establishment of the EBA’s own role in this area.