Skip to main content

How the EBA AML Risk Report is Changing Payments in the EU

The European Banking Authority (EBA) recently found that money laundering and terrorist financing (ML/TF) risks in the EU aren’t being identified and mitigated effectively by payments institutions and their supervisors.

Because of the high ML/TF risks innate to the payments sector and weak anti-money laundering and countering the financing of terrorism (AML/CFT) controls, the EBA’s suggestion that competent authorities are falling short in their duties is alarming.

‘EBA Finds That Money Laundering and Terrorist Financing Risks in Payments Institutions Are Not Managed Effectively’

The EBA published the results of its 2022 risk assessment of EU payment institutions on the 16th of June 2023. 

The findings of this report reflect growing anxieties about the payments sector’s ability to comply with regulations, and what this means for the integrity of the EU’s financial ecosystem if payments institutions with weak AML/CFT controls are authorised to operate in Member States with less strict supervision and operate across the EU.

It’s a chastisement of payments institutions and supervisory authorities, but this report also gives key insight into the EU’s payments landscape relevant to any financial institution (FI) whose operations touch the payments system in any way.

Findings of this risk assessment will be feeding into the EBA’s bi-annual ML/TF risk assessment exercise and informing more in-depth assessment of emerging ML/TF risks like virtual IBANs and white labelling.

AML/CFT Risks Specific to the EU Payments Sector

The perception of the payments sector of being high-risk was echoed in The European Commission’s 2022 supranational risk assessment which stated it ‘appeared to be most vulnerable to risks arising from weaknesses in AML/CFT systems and controls’.

The EBA’s report also notes that payments institutions are often associated with higher ML/TF risks, including in the eyes of banks and other FIs. De-risking at FIs might see them decide to stop serving certain customers associated with higher AML/CFT risks, which poses an issue for payments services providers (PSPs) as it means they can’t access financial services.

To effectively mitigate financial crime risks, it’s crucial that PSPs both understand and use their customer and transaction data. The EBA report says that these firms don’t know their risk exposure well enough, and this comes from not knowing their customers’ KYC data accurately enough or applying this data to risk assessments.

Unfortunately, fragmented data is common among financial institutions, creating data siloes across an organization. This data is housed in different systems, it becomes clunky, inefficient, and detrimental to overall anti-financial crime efforts. 100% of fintechs surveyed in a recent Fenergo report felt that moving between siloed KYC and transaction monitoring data platforms reduces their ability to assess risk effectively.

Verified, good quality KYC data, fed by transaction activity, would allow for a better understanding of customer risk. But, to achieve this, PSPs need to prioritize digitalization of key compliance processes and adopting a risk-based approach in line with the high risk exposure the sector is exposed to.

AML/CFT Weaknesses and Breaches the EBA Identified in the Payments Sector

“There is a general perception amongst EU AML/CFT supervisors that the payment institutions sector’s implementation of AML/CFT measures is less robust than, for example, that of the banking sector.”

The perception of supervisors is not only that the sector’s internal AML/CFT control systems are insufficient, but that payments institutions have less awareness of money laundering risks than FIs in the banking sector. This leads to their controls being ultimately inadequate to the ML/CF risks that the payments sector is exposed to, according to the EBA’s risk assessment.

The payments sector is the second most reported sector to EuReCA, the EBA’s AML/CFT database, after credit unions. Most breaches in the sector relate to ongoing monitoring, internal controls, policies and procedures, customer identification and verification of ID, and risk assessment at both a customer and business-wide level.

Harmonisation of regulation across the EU, in the manner that AMLA seeks to achieve, would even out the discrepancies in supervision and controls between member states, preventing PSPs or other FIs from operating across the EU with insufficient supervision for their risk profile.

The key weaknesses identified include:

  • A poor overall awareness of ML/TF risk. Supervisors pointed to the lack of rigorous training on AML/CFT issues. 
  • Lack of meaningful transaction monitoring. Transaction monitoring systems were often found to be deficient or missing.
  • Limited suspicious transaction identification and reporting abilities. Supervisors reported that many PSPs rely on the STR reporting systems of the credit institutions they bank with, instead of implementing their own.
  • Failure to understand restrictive measures or implement systems and controls. Sporadic or non-existent ongoing screening of customers and transactions was happening at some institutions.
  • Weak internal governance arrangements. This was particularly true of payment institutions that were new entrants seeking to maximise profits and grow quickly.
  • Terrorist financing risks are significant yet poorly understood and managed. This risk is linked to the cash-based, cross-border nature of the service, as well as a reliance on sanctions screening as the only TF risk mitigating tool. 
  • Remote/online onboarding without appropriate safeguards. Supervisors called out specific weaknesses from remote onboarding of customers without the appropriate safeguards, noting failures to identify high-risk customers, including PEPs. 

How Payments Providers Can Achieve More Effective Compliance 

Effective compliance and risk mitigation for PSPs comes down to adopting a community-based, risk-based approach that can assist in generating an appropriate template of pre- and ongoing risk assessment of their policies and procedures. This approach can help to safeguard against human error and automatically and accurately determine the risk of entities being onboarded, remotely or otherwise.

“Several of these findings relate to issues addressed in EBA Guidelines. A more robust implementation by supervisors and institutions of provisions in these guidelines will mitigate the sector’s exposure to ML/TF risks.”

Adopting advanced technology systems for KYC and Transaction Compliance is one way that PSPs can help to improve their understanding of their customers’ risk profiles, and enable efficient, efficient compliance management.


Register for our upcoming webinar to find out how to manage AML risk in payments.

About the Author

Rory Doyle, Head of Financial Crime Policy, joined Fenergo in 2017 and brings with him a wealth of subject matter expertise surrounding financial services, hedge funds, anti-money laundering, and financial crime regulations. Rory is also qualified with ACAMS as a Certified Anti-Money Laundering Specialist (CAMS). Additionally, Rory has extensive experience in the financial, legal, and compliance sectors from the likes of Merrill Lynch, Brown Brothers Harriman, and J.P. Morgan.

Profile Photo of Rory Doyle