EBA finds that money laundering and terrorist financing risks in payments institutions are not managed effectively

The European Banking Authority (EBA) today published its Report on money laundering and terrorist financing (ML/TF) risks associated with EU payment institutions. Its findings suggest that ML/TF risks in the sector may not be assessed and managed effectively by institutions and their supervisors.

In 2022, the EBA assessed the scale and nature of ML/TF risk in the payment institutions sector. It considered how payment institutions identify and manage ML/TF risks and what supervisors do to mitigate those risks when considering an application for the authorisation of a payment institution and during the life of a payment institution.

The EBA’s findings suggest that generally institutions in the sector do not manage ML/TF risk adequately. AML/CFT internal controls in payment institutions are often insufficient to prevent ML/TF. This is in spite of the high inherent ML/TF risk to which the sector is exposed.

The EBA’s findings also suggest that not all competent authorities are currently doing enough to supervise the sector effectively. As a result, payment institutions with weak AML/CFT controls can operate in the EU, for example by establishing themselves in Member States where authorisation and AML/CFT supervision processes are less stringent to passport their activities cross-border afterwards.

Failure to manage ML/TF risks in the payment institutions sector can impact the integrity of the EU’s financial system. The EBA’s work on access to financial services further suggests that failure to address those risks will also undermine efforts to improve access by payment institutions to payment accounts.

Several of these findings relate to issues addressed in EBA Guidelines. A more robust implementation by supervisors and institutions of provisions in these guidelines will mitigate the sector’s exposure to ML/TF risks.

Legal basis and background

Article 9a(5) of Regulation (EU) 1095/2010 (‘EBA founding regulation’) mandates the EBA to perform risk assessments on significant ML/TF risks affecting the EU’s financial sector.

The EBA drew on a number of sources to inform this risk assessment. These include the findings of the EBA peer review on authorisation of payment institutions under PSD2, data extracted from the EBA’s AML/CFT database, EuReCA (available here), questionnaire responses, bilateral interviews with selected EU supervisors, national and supervisory assessments of ML/TF risks in the sector, and any other information available to EBA through its work on ML/TF risks and supervision.

Findings of this risk assessment will be feeding into the EBA’s bi-annual ML/TF risk assessment exercise under Article 6(5) of Directive (EU) 2015/849.

The EBA, in line with its legal duty to lead, coordinate and monitor the AML/CFT efforts of all EU financial services providers and supervisors, remains committed to tackling ML/TF risks holistically, across all financial sectors within its remit.