Identified vulnerabilities and risks in the financial sector regarding anti-money laundering prevention

Last July, the European Banking Authority (EBA) published its Fifth Opinion regarding the risks of money laundering and financing of terrorism identified in the financial sector. This is complemented by a document published by the UK Home Office and Treasury on the National Risk Assessment of Money Laundering and Financing of Terrorism 2025 (NRA).

The rapid expansion of new technologies has resulted in simpler client onboarding processes compared to traditional banking. However, financial products have introduced vulnerabilities in the financial sector regarding AML/CFT, putting companies offering certain financial services (especially, the FinTech, RegTech, and Crypto sectors) in the spotlight.

The EBA outlines the following identified risks in its opinion:

• FinTech: 70% of the competent authorities in the EU report high or increasing risks of money laundering and financing of terrorism in this sector.
• RegTech: RegTech solutions offer significant potential to improve regulatory compliance and reduce manual errors, but their implementation has been hampered by poor governance and insufficient oversight. The main risk has been identified in the use of RegTech solutions for applying due diligence measures and transaction oversight.
• Crypto: Competent authorities find that crypto asset service providers (CASP) often lack effective systems and controls against money laundering and financing of terrorism. This type of service has been identified as mostly lacking robust due diligence procedures and facing difficulties in identifying ultimate beneficial owners. However, it is important to note that the MiCA Regulation will come into effect on 30 December 2024, so the next EBA report on the risks of the crypto sector may vary.
• Risks associated with the use of vIBANs (virtual IBANs): vIBANs pose serious transparency risks. The EBA identifies in its report that FinTechs using this type of IBAN create opacity in hiding the true account holder in many cases. Furthermore, it is emphasized that the new European legislative package (specifically, Regulation (EU) 2024/1624 of the European Parliament and the Council, dated 31 May 2024) imposes an obligation on credit institutions and financial entities regarding the identification and verification of the identity of individuals or legal entities using the virtual IBANs they issue, as well as the bank or payment accounts they are associated with.
• Fraud and AI:  Risks increase as automation and artificial intelligence drive increasingly sophisticated schemes. The EBA indicates that in recent years, the use of AI to generate false documents, simulate identities, and carry out client onboarding processes based on deepfakes has increased.
• Sanctions and Geopolitics: The number and complexity of the EU’s sanctions packages continue to pose significant challenges to financial institutions, as they often cannot be applied using standard sanction control tools.

What should the financial sector do?

• Review the status of its AML/CFT systems and client onboarding processes (KYC).
• Pay attention to the sanctions and geopolitical risk that involve constant changes.
• Establish rigorous controls to comply with growing regulatory obligations and help mitigate money laundering and other financial crimes.

Information note written by the Governance and Compliance practice of ECIJA Madrid.