EBA: national regulators are falling behind on AML/CFT risks

EU national regulators are falling behind on anti-money laundering and countering the financing of terror (AML/CFT) risks, according to the European Banking Authority (EBA) opinion and report, published on July 28.  

In its report, the EU watchdog set out its expectations for national authoritiesʼ supervisory standards, particularly on cryptocurrency and fintech firms. However, it noted that it has not carried out a cost-benefit analysis or opened any public consultation in regard to the opinion.

“Competent authorities need to be mindful of this when putting together their supervisory plans, to ensure compliance keeps pace with innovation. The lack of robust AML/CFT controls in the sector reflects a gap between regulatory expectations, legal obligations and actual practice,” the EBA said.

At the Royal United Services Instituteʼs (RUSI) AML conference in Vilnius, on insights into the implementation of the new EU “AML package” of regulations in Lithuania, industry representatives took a different view. According to the conference report published on July 25, the EU AML package will add extra complexity to the financial innovation landscape.

Fintech risks increase

The fintech sector was central to the EBA’s concerns, as its survey found that 70% of EU national authorities are reporting “high or increasing” AML/CTF risks from the sector.

With rapidly developing business models, some fintech providers — such as payment institutions — are “prioritising” customer acquisition over compliance, said the EBA. It also highlighted the AML/CFT risks as products of increased exposure to cybercrime, unchecked outsourcing and weak customer due diligence, which could “spill over” into traditional finance (TradFi) if the fintechs are bought out by other companies.

While the EBA believed that regulatory technology (regtech) could mitigate the risks, it said many fintechs also used them as “off-the-shelf” solutions, leading to further compliance failures.

However, Lithuanian fintech stakeholders said at the RUSI conference that, although they were “actively contributing” to the EBA-led consultations, there was still a lack of fintech industry representation at the EU level. A sector representative stressed the need to reflect “fintech-specific operational realities” in the regional regulations.

Complex crypto

The EBA also expressed concerns over crypto firms introducing further AML/CFT risks into the EU financial system. With the current “transition period” of the Markets in Crypto-Assets Regulation (MiCA), the EU authority found that some responsible national authorities are “bypassing” licensing and registration processes, creating loopholes in AML/CFT supervision.

The EBA said: “In several cases, the integrity of crypto-asset service providers’ senior management and the transparency and adequacy of the governance arrangements were not assured. This suggests that, overall, the ML/TF risk in the sector may not have been identified or managed adequately.”

Meanwhile, at the RUSI conference, industry representatives claimed that the EUʼs “evolving and complex” crypto framework was making it harder to establish a presence in the region. For example, some firms may not fall under the jurisdiction of MiCA, yet still be subject to AML obligations under the EU AML package.

Solution: EU AML package?

The upcoming EU AML package is expected to be implemented by 2027. The new rules require information sharing on high-risk customers, tighter Know Your Customer (KYC) checks, and enhanced due diligence.

RUSI conference attendees did not think the regime was “transformative”, but believed that the new requirements would demand extensive system and procedural adjustments. They also expected compliance and monitoring teams to face an increased workload.

“The EU AML package represents a shift away from a risk-based approach towards a more rules-based regime, which may stifle innovation, particularly in remote onboarding processes,” they added.