✅ For FinTechs and PSPs:
Many are under scrutiny not because of intent, but because their controls haven’t scaled with their business. Cross-border complexity, outsourced onboarding, and untested TM models are key gaps. Operating models and risk frameworks need to match the pace and scale of growth.
✅ Established firms onboarding FinTech or crypto partners:
The report flags growing risk from partnerships where due diligence is performed at onboarding, but not monitored effectively thereafter. Inherited risk through third-party arrangements is an increasing concern.
✅ For those using RegTech or AI in compliance:
The EBA isn’t questioning innovation, it’s questioning implementation. “Fit for purpose” means governance, testing, and clarity on what the tech does, not just what it claims to - calibration to the firms context and nuanced risk profiles is essential. Critically, many failures stem not from the tools themselves, but from inadequate in-house expertise to use, oversee, or challenge them effectively.
✅ For sanctions and TM teams:
Sanctions screening is still falling short, especially for SEPA Instant, card schemes, and complex sectoral risks. The EBA points to weak thresholds, static rules, and poor escalation processes. Many systems are built for volume, not for risk relevance. In fast-moving environments, alerts are missed and emerging typologies go undetected. It remains a blend of tuning and design issues. Screening depends on whether your controls can adapt in real time.
➡️ Regulators aren’t just asking what your policies say, they’re asking if your controls hold up in practice, against real threats, in real time.
That means:
⚫Controls calibrated to actual exposure, not static risk assumptions
⚫Systems that adapt as criminal methods evolve, not just alert by design
⚫Governance that’s live, informed, and engaged, not passive or siloed
⚫Documentation that explains not just what you did, but why, and why it made sense at the time
Assurance hinges on the alignment between policy, controls, and operational reality.