Regulatory Insights

As the European Anti-Money Laundering Authority (AMLA) assumed its full responsibilities on 1 July 2025, it set clear expectations for firms operating in the crypto-asset space to establish and maintain robust measures to prevent money laundering and terrorist financing. AMLA acknowledges the growing role of innovation and new business models in the financial sector but underscores that the transformation of the cryptoassets landscape must be accompanied by strong safeguards. In line with the evolving regulatory framework, the authority emphasises the importance of ensuring that financial crime risks in this domain are addressed effectively across the EU.

The authority's 2025 Work Programme places Crypto-Asset Service Providers (CASPs) high on the supervisory agenda. AMLA has highlighted the sector's inherent vulnerabilities - particularly its technological complexity, cross-border reach, and potential for anonymity - as drivers of elevated ML/TF risk. With the Markets in Crypto-Assets Regulation (MiCA) now in effect, CASPs are required to obtain a MiCA license to operate within the EU. Several licences have already been granted, including to prominent market players, and the number is expected to rise significantly.

While National Competent Authorities (NCAs) retain responsibility for initial licensing and oversight of CASPs, AMLA will collaborate closely with them to promote consistent implementation of AML/CFT obligations across Member States. The Authority has made clear that it expects competent authorities to ensure CASPs have effective compliance systems in place from the outset of their authorisation.

Further reflecting the strategic importance of this sector, AMLA's financial intelligence unit will include crypto-assets among its initial focus areas. This will involve joint analytical efforts to identify emerging cross-border practices and financial crime risks in this rapidly developing space. These efforts are part of AMLA's broader goal to foster a harmonised, risk-based supervisory environment and to support a level playing field for all EU market participants.

The EU Commission published Delegated Regulation (EU) 2025/1184 in the Official Journal, updating the EU's list of high-risk third countries for AntiMoney Laundering (AML) purposes. The changes align with recent assessments by the Financial Action Task Force (FATF).

Key changes:

• Added to the list (new high-risk jurisdictions): Algeria, Angola, Côte d'Ivoire, Kenya, Laos, Lebanon, Monaco, Namibia, Nepal, and Venezuela.
  These countries have committed to addressing identified AML/CTF weaknesses and are working with FATF on action plans.
• Removed from the list (following progress): Barbados, Gibraltar, Jamaica, Panama, the Philippines, Senegal, Uganda, and the United Arab Emirates.

This list has direct implications for enhanced due diligence under EU AML rules.

Effective date:

The changes took effect on 5 August 2025.

The European Supervisory Authorities (EBA, EIOPA, and ESMA) have signed a multilateral Memorandum of Understanding (MoU) with the newly established European Anti-Money Laundering Authority (AMLA) to strengthen supervisory cooperation across the EU.

This MoU establishes practical arrangements for efficient and timely collaboration, facilitating the exchange of critical AML/CFT information and promoting supervisory convergence and cross-sector learning.

AMLA is empowered to

• directly supervise high-risk, cross-border financial institutions and exercise indirect supervision across both financial and non-financial sectors.
• coordinates the work of Financial Intelligence Units (FIUs) and develops regulatory and technical standards to ensure consistent AML/CFT implementation throughout the EU.

Meanwhile, the ESAs continue to promote financial stability and supervisory convergence, with their Joint Committee, chaired by EIOPA in 2025, serving as a key platform for cross-sector coordination.

This collaborative framework enhances the EU's ability to address money laundering and terrorist financing risks in a coordinated and effective manner.

The Financial Action Task Force (FATF) published on 8 July 2025 a new report identifying serious and evolving Terrorist Financing (TF) risks and calling for stronger global responses.

The Report - "Comprehensive update on terrorist financing risks" - highlights terrorists' ongoing ability to exploit the financial system and adapt methods to raise, move, and use funds, often combining conventional and digital tools. The Report draws on input from over 80 jurisdictions and 840 private sector and academic submissions, presenting trends and case studies from the past decade. It identifies key threats including decentralised operations, individuals acting alone who exploit legitimate financial channels and digital platforms, links with organised crime, and terrorism financing challenges in conflict zones. Despite steps taken by many countries, the FATF found that 69% of jurisdictions assessed still have major or structural deficiencies in prosecuting and convicting TF cases. FATF President, Elisa de Anda Madrazo, emphasised the importance of leveraging the findings of this Report to improve countries' understanding of national risks and to promote international collaboration. The Report includes practical TF risk indicators for public and private stakeholders and calls for targeted public-private partnerships and better international coordination. It also emphasises the importance of protecting humanitarian aid from abuse and implementing proportionate, risk-based safeguards for nonprofit organisations.

Produced with the support of the United Nations Counter-Terrorism Committee Executive Directorate (CTED) and France, the Report complements CTED's ongoing work on global Terrorism Financing (TF) trends and implementation gaps.

A public webinar to present the findings took place on 22 July 2025.

FATF launched on 10 July 2025 a new process to address unintended consequences from the misapplication of its standards on Non-Profit Organisations (NPOs). The aim is to safeguard legitimate NPO work from unjustified disruption while maintaining strong defences against terrorist financing.

The new procedure enables countries, the IMF, and the World Bank to raise concerns when FATF standards are applied in ways that unfairly hinder NPOs. It complements FATF's mutual evaluation and oversight processes and applies to all FATF and FSRB members, unless an FSRB opts to manage its own process.

FATF President, Elisa de Anda Madrazo, said the new procedure reflects the organisation's commitment to proportionality and responsiveness, balancing action on terrorist financing with support for NPOs.

The procedural updates are detailed in:

• The 2023 Universal Procedures (at paragraph 130(bis))
• The FATF 5th Round Procedures (at paragraph 136(bis))
• The 2022 Universal Procedures (at paragraph 55(bis))
• The FATF 4th Round Procedures (at paragraph 101(bis))

On 9 July 2025, the Cyprus Securities and Exchange Commission (CySEC) issuedCircular No. C721, replacing Circular C367 dated 24 March 2020. The update addresses the application of Article 62(2) of the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (L. 188(I)/2007).

The revised Circular provides updated guidance on the limited circumstances under which the verification of customer and beneficial owner identity may be completed during, rather than prior to, the establishment of a business relationship - in line with Article 62(2) of the Law.

The Circular sets clear limits and rules for when identity verification can happen after starting a business relationship, including:

• Customers can only deposit up to €2,000 in total across all their accounts before their identity is verified. However, this amount does not automatically mean the customer is low risk; firms must still assess each case carefully.
• Identity verification must be completed within 15 days from the first contact with the customer.
• Deposits must come only from bank accounts or related payment methods (like credit cards) in the customer's name.
• Firms need stronger internal policies to follow these rules properly.
• Supervisors will closely monitor compliance to make sure AML rules are followed.

Firms should review their onboarding processes and internal controls to ensure alignment with the updated guidance and CySEC's expectations.

EBA published on 28 July 2025 its 2025 Opinion on Money Laundering and Terrorist Financing (ML/TF) risks within the EU financial sector, highlighting how geopolitical developments, digital transformation, and regulatory changes are reshaping the risk landscape.

The EBA stresses that while innovation can strengthen compliance, careless deployment of RegTech and other tools may expose firms to heightened ML/TF risks. It underscores the importance of consistently applying the new EU legal framework to mitigate emerging threats, particularly as financial crime tactics become increasingly sophisticated.

Key findings include:

• FinTech: Over 70% of national supervisors report high or growing ML/TF risks. Many FinTech firms exhibit governance weaknesses and insufficient AML/CFT controls, with some prioritising rapid business expansion at the expense of robust compliance frameworks.
• RegTech: More than half of serious compliance failures reported to the EBA's EuReCA database involved misuse of RegTech solutions. RegTech solutions are often implemented without the requisite technical expertise or comprehensive supervisory oversight, leading to significant compliance failures.
• Crypto assets: This remains one of the highest-risk sectors. The number of authorised Crypto-Asset Service Providers (CASPs) grew 2.5 times between 2022 and 2024, yet many still lack effective AML/CFT frameworks, with some actively circumventing regulation.
• AI & fraud: Emerging evidence indicates that criminals are increasingly leveraging artificial intelligence technologies to automate money laundering activities, fabricate fraudulent documentation, and circumvent detection mechanisms, underscoring the imperative for financial institutions to adopt responsible AI integration coupled with continuous monitoring.
• Sanctions compliance: The growing complexity of EU restrictive measures has created implementation challenges. Many institutions lack the systems necessary for effective sanctions screening. To address this, the EBA has issued new Guidelines, effective from end-2025, to support a more harmonised approach across the EU.

Regulatory context:

The Opinion is issued under Article 6(5) of Directive (EU) 2015/849 (Fourth Anti-Money Laundering Directive), which mandates the EBA to assess ML/TF risks in the EU financial sector biennially. The findings will feed into the EU Commission's Supranational Risk Assessment and help guide both national authorities and the EBA's future policy priorities.

EBA released on 1 July 2025 its final Guidelines on Acquisition, Development, and Construction (ADC) exposures to residential property under the standardised approach of the Capital Requirements Regulation (CRR).

These Guidelines clarify the conditions under which banks may apply a lower risk weight of 100%, rather than the default 150%,to qualifying ADC exposures, helping ensure a more risk-sensitive treatment of residential property lending.

Key updates include:

• Condition 1: At least 50% of total contracts must be pre-sale or pre-lease agreements with sufficient deposits, or sale/lease contracts.
• Condition 2: Borrowers must have significant equity at stake - now defined as at least 25%, reduced from 35% following industry feedback.
  
  For public housing projects, the Guidelines introduce more flexibility:
• Meeting condition 1 can now be based on demand exceeding supply, even at the municipality level.
• The equity requirement has been lowered to 20%, and allowable forms of equity expanded to include subsidies, grants, and junior loans.

These measures form part of the EBA's broader roadmap for implementing the EU Banking Package on credit risk, balancing prudential safeguards with realeconomy considerations.

EBA opened on 2 July 2025 a public consultation on draft amendments to its Guidelines on the application of the definition of default under the Capital Requirements Regulation (CRR). The proposed changes aim to strike a balance between flexibility for institutions and sound credit risk management.

Key proposals include:

• Retaining the 1% NPV loss threshold for identifying default in debt restructuring, supporting consistency with existing standards and reducing the risk of regulatory arbitrage.
• Maintaining stability in default classification to aid reliable credit risk modelling under both IRB and IFRS 9 frameworks.
• Extending the exceptional treatment of past-due days from 30 to 90 days for non-recourse factoring, to better reflect how purchased receivables operate in practice.

The EBA is also considering, but has not yet included, a possible shortening of the probation period for certain loans where borrowers have been given special repayment relief (known as forborne exposures), for example reducing it from one year to three months. This aims to encourage earlier debt restructuring.

Consultation details:

• Open until 15 October 2025
• Public hearing via conference call: 3 September 2025, 11:00–12:00 CET
• Registration deadline: 29 August 2025, 16:00 CET

EBA launched on 2 July 2025 a public consultation on its draft Guidelines for the estimation and application of Credit Conversion Factors (CCFs) under the Capital Requirements Regulation (CRR). The consultation runs until 15 October 2025.

These Guidelines are part of the Internal Ratings-Based (IRB) repair programme and aim to standardise expectations for CCF modelling across EU banks, supporting consistency and risk sensitivity in internal models.

Key points:

• The Guidelines align closely with existing standards for Probability of Default (PD) and Loss Given Default (LGD), ensuring coherence across IRB risk parameters.
• Recognising the lower materiality and narrower scope of CCFs, the EBA proposes simplified approaches where appropriate—helping institutions implement robust models without undue complexity.
• The consultation paper includes targeted questions to gather feedback and ensure the final Guidelines are both effective and proportionate.

Consultation details:

• Deadline for comments: 15 October 2025
• Public hearing: 3 September 2025, 15:00–16:00 CET (registration by 29 August 2025).

This initiative supports the EBA's ongoing effort to maintain prudential soundness while improving clarity and consistency in internal model frameworks across the EU banking sector.

EBA released on 4 July 2025 a hotfix for Reporting Framework 4.1, addressing a range of technical issues discovered in the initial version. The update includes corrections to ensure accurate and consistent reporting by institutions.

To support implementation, the EBA has published a detailed issues list, outlining:

• Fixes included in the hotfix,
• Outstanding issues to be resolved in Framework 4.2, and
• Interim solutions for institutions to apply in the meantime.

In related news, the EBA postponed the mandatory adoption of the xBRL-CSV reporting format. Originally planned for the December 2025 reference date, it is now required starting from March 2026, giving firms more time to adapt.

All updates and documentation are available on the EBA's Reporting Framework 4.1 and 4.2 webpages.