In July 2025, the European Banking Authority (EBA) issued a stark Opinion highlighting rising money laundering and terrorist financing (ML/TF) risks in the fintech sector. The rapid growth of fintechs including electronic money institutions (EMIs) and payment providers, has outpaced the development of equally robust compliance controls. The EBA warns that innovation has come at the cost of compliance, with new vulnerabilities emerging from digital finance. This comes against the backdrop of major EU AML reforms (including a new EU AML Authority and Regulation) aiming to tighten oversight. In short, regulators are signaling that the era of light-touch AML compliance for fintechs is over. Fintech compliance officers, risk leads, and founders must act now to strengthen their defenses and meet the higher standards being set.

EBA’s 2025 Opinion: Key AML/CFT Risks in FinTech

The EBA’s 2025 Opinion, based on data through end-2024, stresses several critical risk areas for fintech companies. 70% of national regulators now report high or increasing ML/TF risks in the fintech sector, reflecting a gap between rapid business growth and effective AML controls. Below are the key weaknesses the EBA flagged:

  • Under-resourced compliance and governance gaps: Many fintechs (e.g. EMIs and payment institutions) have prioritized aggressive customer growth over building strong compliance programs. Regulators found that fast-growing firms often had insufficient and unskilled compliance staff to handle the volume of alerts generated by transaction monitoring and screening systems. In short, compliance teams are underpowered, a recipe for alerts going unmanaged and risks overlooked. This lack of resources and expertise is leading to weak AML governance and oversight in some fintechs.
  • Poor Customer Due Diligence (CDD) practices: The EBA observed that fintech providers frequently exhibit weak CDD and onboarding controls, making them attractive targets for illicit use. Common failures include inadequate customer identification and verification, and not obtaining beneficial ownership information, especially in higher-risk products. In fact, most AML breaches reported by regulators relate to CDD measures not being applied effectively, with frequent failures in customer risk rating and due diligence across sectors. These CDD gaps mean criminals can slip through onboarding or remain as clients without proper risk assessment.
  • Ineffective use of RegTech solutions: While technology could improve compliance, the EBA found it often isn’t living up to its promise in fintech. Over half of serious compliance failures reported to the EBA involved improper use of RegTech tools. Many firms rely on “off-the-shelf” AML software without proper implementation or customization, leading to a false sense of security. The EBA noted that a lack of in-house expertise and oversight over these tools results in poor calibration (e.g. rules not tuned to the firm’s risk profile) and missed suspicious activity. In other words, technology alone isn’t a silver bullet, how it’s governed and integrated matters greatly.
  • Misuse of crypto and payment infrastructure by criminals: Fintech platforms, especially in payments and crypto, are being exploited for illicit purposes. The EBA flags the crypto-asset sector as high-risk, citing a 2.5-fold increase in authorized crypto providers (CASPs) from 2022-2024, many of which lack effective AML controls. Alarmingly, some crypto firms have attempted to bypass licensing and AML oversight altogether, operating in regulatory gray areas. This creates loopholes that money launderers can abuse. Likewise, innovative payment products (e.g. virtual IBAN accounts, instant payments) can be misused to obfuscate illicit transactions if not properly monitored. For example, regulators noted that virtual IBAN services have been linked to fraud and transaction layering schemes. Fintechs providing payment infrastructure face heightened risk that bad actors will channel dirty money through their platforms if AML controls are weak.
  • Static risk scoring and failure to re-risk-rate clients: A recurring theme is fintechs doing a one-time risk assessment at onboarding and then failing to update customer risk profiles as circumstances change. The EBA observed that some firms conduct due diligence at account opening but do not monitor or re-evaluate risk effectively thereafter. This leads to stale risk ratings that don’t reflect a customer’s current behavior or emerging red flags. Indeed, regulators have frequently reported failures in ongoing monitoring and customer risk re-assessment, which allowed high-risk customers to continue transacting undetected. The message is clear: continuous, dynamic risk management, adjusting risk scores based on live behavioral data, is now expected as a norm, not a “nice-to-have”. Firms clinging to static risk models or periodic reviews risk missing fast-evolving threats.

These risk areas are interrelated and compounding. Under-resourced compliance teams may lean on poorly implemented RegTech, resulting in incomplete CDD or missed re-risking of clients, all of which bad actors are quick to exploit via fintech and crypto channels. The EBA’s opinion puts fintechs on notice that these gaps must be addressed urgently.

EU AML Reforms Raise the Bar: AMLA, Regulation, and Convergence

The EBA’s warnings come at a time of sweeping changes in the EU’s anti-money laundering framework. The European Union is moving from directives to directly applicable regulations and creating a new supranational regulator, changes that will significantly tighten oversight on fintechs in the coming years.

  • New EU AML Authority (AMLA): In 2024, the EU formally established a centralized Anti-Money Laundering Authority (AMLA), which became operational in July 2025. This agency’s mission is to coordinate all national AML/CFT supervisors and harmonize enforcement across Europe, ending the patchwork of differing national approaches. AMLA will also have direct supervisory powers over certain “high-risk” or cross-border financial institutions. By 2027, AMLA is expected to directly supervise at least 40 firms, potentially including large fintechs, EMIs, and crypto providers that have significant risk or operate EU-wide. For fintechs, this means that even if your home regulator was lenient, a pan-European watchdog will be watching with a much sharper eye.
  • EU AML Regulation and unified rulebook: Alongside creating AMLA, the EU in 2024 passed a new AML Regulation as part of its “AML package.” Unlike a directive, this regulation will apply uniformly across member states, effectively creating one EU-wide rulebook for AML/CFT. The AML Regulation (and a complementary 6th AML Directive) will impose tougher requirements on customer due diligence, information sharing, and risk management when it fully comes into effect by 2027. For example, firms will face stricter Know Your Customer (KYC) checks, mandatory sharing of data on high-risk customers across the EU, and enhanced due diligence for higher-risk situations. The goal is to eliminate weak links in the chain by leveling up standards everywhere. Fintechs that operate in multiple EU countries (or plan to expand) will need to meet these harmonized, likely stricter, obligations, no more arbitrage by choosing the easiest regulator.
  • Supervisory convergence and no more gaps: The broader theme is convergence, ensuring every EU country enforces AML rules robustly and consistently. The EBA explicitly noted a gap between regulatory expectations and actual practice in parts of the fintech sector, and it is urging national authorities to close that gap. With AMLA overseeing the overseers, we can expect more intrusive inspections and less tolerance for lax enforcement. National regulators have already begun increasing their scrutiny of fintechs: for instance, on-site AML inspections of e-money institutions in the EU rose by 27% in recent years as authorities responded to risk signals. The EBA is also issuing detailed guidelines (e.g. on sanctions compliance by end-2025) to harmonize supervisory standards across the EU. All of this means fintechs will face a more unified and unforgiving compliance environment, one where “creative” interpretations of AML rules won’t fly. There is a clear regulatory push to ensure innovation does not outpace compliance, and that message is being backed by new laws and bodies with real teeth.

Regulators Crack Down: No More Tolerance for Weak Compliance

For fintechs, EMIs, and payment firms, the implications are unmistakable. Regulators are shifting from raising awareness to enforcement mode. Past leniency toward startups is evaporating as fintech matures into mainstream finance. Recent regulatory actions underscore that weak AML controls can and will lead to serious consequences:

  • Licenses and fines at stake: The ultimate warning example, the EBA’s report noted an instance where an Electronic Money Institution had such egregious AML failings that it had its authorization withdrawn in 2024. In other words, the firm was effectively shut down by regulators due to compliance breaches. Similarly, traditional banks have faced record fines (e.g. a $3.1bn penalty against TD Bank in 2024) for AML program failures that included broken risk rating systems. Fintechs are not immune from these outcomes. As regulators step up inspections, those firms found flouting AML requirements could face license revocations, heavy fines, or bans on certain activities.
  • “Controls must work in practice” proof, not promises: A key theme from the EBA and others is that having policies on paper is not enough, supervisors now demand evidence that your AML controls actually work in real-life scenarios. For example, if your transaction monitoring system generates 1,000 alerts a month, can your team triage and investigate them promptly with documented outcomes? If you claim to do ongoing customer risk assessments, can you show audit trails of risk scores being updated over time? Regulators will ask not just what your policies are, but how you ensure those policies are effective and up-to-date against current risks. Fintechs that treated compliance as a checkbox exercise are in for a rude awakening. Going forward, expect detailed audits and “live fire” testing of AML systems and processes. Compliance programs need to be audit-ready at all times, with every alert, decision, and update traceable.
  • Focus areas: onboarding, monitoring, and outsourcing: Based on the EBA’s findings, examiners will pay special attention to known weak spots in fintech compliance. Customer onboarding and KYC processes will be scrutinized for thoroughness, any lapses in verifying identities or sources of funds will draw criticism. Transaction monitoring (TM) systems will be evaluated for whether they are calibrated to the firm’s risk (rather than using generic settings), and whether they adapt to new criminal tactics. The EBA specifically called out untested or static monitoring models and “weak thresholds” that fail to catch suspicious patterns in fast-moving environments. Another area is outsourcing and partnerships: fintechs often rely on third-parties (for KYC verification, core banking, etc.) or engage in banking-as-a-service models. Regulators will check that fintechs exercise effective oversight over these arrangements. The EBA warns of “inherited risk”, for example, when an established bank relies on a fintech partner’s checks at onboarding but doesn’t monitor that partner’s clients afterward. Fintechs need to ensure any outsourcing or agent relationships include robust AML controls and reporting, because regulators will hold the licensed entity ultimately responsible.

The bottom line is that EU fintechs are now under far stricter scrutiny. Practices that might have been tolerated a few years ago, such as superficially scanning new customers and never revisiting their risk, or plugging in a compliance tool without proper tuning, are no longer acceptable. Regulators have signaled that they will intervene decisively (with enforcement actions) if fintech firms do not shore up these vulnerabilities. For fintech leaders, this is a pivotal moment: proactively strengthen your AML/CFT program now, or risk facing regulatory wrath when the new EU AML regime fully kicks in.

Strengthening Your AML Program: How RegTech Can Help

Facing this reality, fintechs and EMIs need to build compliance agility, the ability to rapidly adapt and maintain effective controls as risks evolve. Fortunately, modern RegTech platforms can address many of the gaps identified by the EBA, if implemented properly. A prime example is Flagright’s AI-native AML platform, which is designed for fintech compliance teams to be both comprehensive and easy to use. Here’s how platforms like Flagright help firms tackle the EBA’s concerns:

  • Continuous risk scoring and re-rating of clients: Rather than static one-time risk assessments, Flagright enables dynamic risk profiling for customers and transactions in real time, based on both inherent attributes and behavioral patterns. This means as a customer’s activity changes (e.g. transaction volumes, geographies, suspicious behaviors), their risk score automatically adjusts. Compliance officers can set rules to trigger enhanced due diligence or reviews when risk levels rise. This continuous re-risk-rating ensures you always know your customer’s risk today, not just at onboarding, exactly what regulators expect in terms of ongoing risk-based monitoring.
  • Real-time transaction monitoring with audit-ready case management: An effective AML program needs to detect suspicious transactions as they happen and handle investigations efficiently. Flagright’s platform provides real-time AML monitoring with dynamic risk-based rules and instant alerts. Firms can customize rules (without coding) to flag unusual patterns, and the system generates alerts immediately for review. Crucially, the platform includes an integrated case management system that streamlines investigations and keeps an audit trail of every action. Analysts can document their findings and decisions within the case, and Flagright automatically logs timestamps, investigator notes, and any rule adjustments. The ability to generate detailed compliance reports on demand means you can demonstrate to auditors and regulators exactly how each alert was handled and resolved. This audit-ready approach not only helps avoid gaps, but also saves time during regulatory inspections or internal audits.
  • Intelligent screening with explainable AI suppression of false positives: Name screening for sanctions, PEPs (Politically Exposed Persons), and adverse media is another pain point, legacy systems often produce an overwhelming number of false positives. Flagright addresses this with its AI Forensics for screening, essentially an AI-driven layer that automatically investigates and clears false positive alerts in seconds. The platform’s AI agents can match and contextualize data (for example, distinguishing your customer “John Doe” from a sanctions-listed “John Doe” by analyzing additional attributes) and then document the rationale (disposition narrative) for why an alert was suppressed. This use of explainable AI drastically reduces the manual workload on compliance analysts while maintaining transparency. Flagright reports up to 90% reduction in false positives, letting your team focus on genuine risks. Moreover, all AI decisions are logged, so you retain full oversight, aligning with regulators’ call for “responsible AI use and robust monitoring” in AML.
  • No-code rule engine for compliance agility: Regulations and criminal techniques are changing constantly, your controls must keep up. Flagright’s platform is built with a no-code rule engine and highly customizable workflows. Compliance teams can easily modify scenarios, thresholds, and workflows through an intuitive interface, without needing developer support. For example, if the business launches a new product or enters a new market, the team can quickly adjust risk scoring factors or add new monitoring rules to cover the associated risks. This agility is complemented by real-time alerts and dashboards, so you get immediate visibility into any emerging issues. The ability to rapidly iterate on rules means fintechs can respond to regulator feedback or novel typologies almost instantly. In essence, a flexible, no-code system future-proofs your AML program, ensuring you’re never stuck with outdated controls as threats evolve or as the EU rolls out new regulatory requirements.

By leveraging such an advanced compliance platform, fintechs can turn AML compliance from a weak link into a competitive strength. The EBA itself has noted that when implemented well, RegTech can streamline workflows and help create dynamic risk-based controls. Solutions like Flagright provide the architecture for this: centralized dashboards, real-time data processing, AI-driven insights, and one-click reporting. However, technology must be paired with skilled oversight. Fintechs should invest in training their compliance teams to fully utilize these tools, regularly validate the system outputs, and continuously refine their risk models. When done right, an AI-powered, no-code AML platform can allow even lean compliance teams to meet the high bar regulators now set, without sacrificing customer experience or growth.

Key Takeaways for EU Fintech Compliance Teams

For compliance officers and founders of European fintechs, the message is clear: it’s time to get your house in order before regulators do it for you. Here are the key steps and takeaways to focus on now:

  • Get audit-ready now: Assume that an EU regulator or the upcoming AMLA will audit your program in detail. Prepare by ensuring everything is documented, risk assessments, customer files, alert investigations, SAR filings, training records, etc. Invest in tools that provide comprehensive audit logs and reporting (e.g. case management systems that track every action) so you can demonstrate traceability and accountability in all compliance processes. Being audit-ready means no scrambling when the examiner arrives; you’ll have confidence in your data and records.
  • Fix or replace RegTech that isn’t working: Take a hard look at your current AML systems and processes. If your transaction monitoring or screening solution is drowning you in false positives or blind to certain risks, it’s time to recalibrate or upgrade. The EBA has made it plain that careless use of compliance technology can itself be a risk. Make sure any RegTech tool is “fit for purpose”, properly configured, tested, and supplemented with human expertise and oversight. If you lack in-house expertise to optimize a tool, bring in external help or consider more user-friendly platforms. Don’t rely on vendor defaults; tailor the system to your business’s risk profile. Regulators expect you to actively manage your technology, not be a passive user.
  • Prove you have a risk-based monitoring program: Under the EU’s risk-based approach, it’s not enough to do the bare minimum, you must actively adjust to the risks you face. Develop a clear methodology for continuous risk-based monitoring of transactions and customers, and be ready to prove it works. This could include maintaining up-to-date customer risk scores, thresholds that make sense for your risk appetite, and surveillance for trends (e.g. sudden surges in transaction velocity) that might indicate laundering. If you’ve implemented dynamic risk scoring and real-time alerts, document examples of how these led to catching suspicious activity or re-classifying a client’s risk. By demonstrating that your monitoring adapts as criminal methods evolve, you reassure regulators that you’re not just ticking boxes, you’re truly mitigating ML/TF risk in practice.

In summary, EU fintechs, EMIs, and payment firms must transition from a startup-style compliance (fast and loose) to a scaled-up, mature compliance posture. The writing is on the wall with the new EU AML Authority and regulations: those who fail to implement effective AML controls will face heavy consequences, while those who invest early in strong compliance will not only avoid fines but also gain trust with banking partners and customers.