The European Banking Authority has delivered a stark assessment of the cryptocurrency sector’s vulnerability to money laundering and terrorist financing, publishing its biennial opinion on July 28, 2025, that identifies crypto as a persistently high-risk area requiring urgent regulatory attention. The report, mandated under EU anti-money-laundering directives, warns that new vulnerabilities are emerging across the digital asset landscape even as the bloc pushes forward with comprehensive crypto regulation through MiCA.
TL;DR
- EBA publishes biennial AML/TF opinion identifying crypto as a persistently high-risk sector
- Authorized crypto-asset service providers (CASPs) have surged 2.5x between 2022 and 2024
- 70% of authorities report high or rising AML risks in fintech, with weak controls cited as the primary concern
- Criminals are increasingly leveraging AI to automate laundering schemes and forge documents
- Over half of serious compliance failures involve improper use of regtech tools
A Sector Under Scrutiny
The EBA’s 2025 opinion pulls no punches in its assessment of the crypto industry’s anti-money-laundering posture. According to the report, the number of authorized crypto-asset service providers operating within the EU has increased 2.5-fold between 2022 and 2024, a dramatic expansion that has outpaced the development of adequate compliance infrastructure. The watchdog found that many CASPs lack effective AML and counter-terrorist financing systems, and some actively attempt to bypass regulatory oversight altogether.
The report attributes this concerning state of affairs to a combination of rapid market growth, technological complexity, and a culture within some firms that prioritizes expansion over compliance. Key vulnerabilities identified include exposure to cybercrimes, outsourcing of critical functions without effective oversight, and inadequate customer due-diligence controls. The EBA noted that these weaknesses are not hypothetical, they are being actively exploited by criminal networks seeking to exploit the relative anonymity and speed of cryptocurrency transactions.
The Fintech AML Crisis
Crypto is not the only sector drawing regulatory concern. The EBA report reveals that 70% of competent authorities across the EU reported high or rising AML and terrorist financing risks in the broader fintech sector. The common thread running through these findings is a pattern of weak internal controls and poor governance structures that leave financial institutions exposed to exploitation.
The watchdog’s assessment is particularly significant given the timing. The EU’s Markets in Crypto-Assets Regulation, known as MiCA, began full application in late 2024, establishing a comprehensive regulatory framework for crypto-asset service providers across the bloc. However, the EBA’s findings suggest that the regulatory framework alone is insufficient without robust enforcement and a genuine commitment to compliance from the industry itself.
Several member states have already taken enforcement action against CASPs that failed to meet AML requirements under the new framework. Germany’s BaFin, France’s AMF, and the Netherlands’ DNB have all issued warnings or penalties to crypto firms in the first half of 2025, signaling that regulators are prepared to back up their supervisory expectations with concrete action.
AI: A Double-Edged Sword
One of the most striking elements of the EBA report is its analysis of how artificial intelligence is reshaping the money laundering landscape. Criminals are increasingly deploying AI tools to automate laundering schemes, forge identity documents, and evade detection systems, creating a technological arms race between illicit actors and compliance teams.
Financial institutions are struggling to keep pace with these sophisticated threats, the report warns, highlighting the urgent need for responsible AI deployment and robust monitoring systems. The EBA emphasized that while AI can be a powerful tool for compliance when properly implemented, many institutions lack the expertise and oversight necessary to use it effectively.
The regulator also expressed concern about the state of regulatory technology, or regtech, which is designed to help businesses meet their compliance obligations. The report found that over half of serious compliance failures reported to the EBA’s EuReCA database involved the improper use of regtech tools. Despite its potential to enhance compliance, regtech is often poorly implemented due to a lack of expertise and oversight, the report stated, suggesting that the solution can sometimes become part of the problem.
Sanctions Complexity and Global Implications
Beyond crypto-specific concerns, the EBA report addresses the broader challenge of sanctions compliance across the financial sector. The number and complexity of EU sanctions packages are creating significant difficulties for financial institutions, which often cannot implement sanctions requirements using standard screening tools. This gap between regulatory demands and operational capability is particularly concerning given the geopolitical tensions driving an ever-expanding sanctions regime.
The EBA has published two sets of guidelines designed to establish common EU standards for sanctions compliance, scheduled to take effect by the end of 2025. These guidelines aim to reduce the inconsistent implementation of sanctions measures that has plagued the bloc’s financial system, creating uneven enforcement that bad actors can exploit by targeting the weakest links in the regulatory chain.
The report does highlight some positive developments. Risks linked to tax crimes and unwarranted de-risking, the practice of financial institutions broadly refusing to serve certain categories of customers, appear to be decreasing. This suggests that some aspects of the EU’s regulatory approach are producing measurable improvements even as new challenges emerge.
Why This Matters
The EBA’s blunt assessment serves as a reality check for an industry that has often resisted regulatory oversight while simultaneously seeking institutional legitimacy. The message is clear: crypto cannot have it both ways. If the sector wants mainstream acceptance and institutional adoption, it must demonstrate a genuine commitment to anti-money-laundering standards that match or exceed those of traditional finance. The report also underscores the growing regulatory convergence between the EU and the United States, where the GENIUS Act and other recent legislation are establishing parallel frameworks for stablecoin oversight and market regulation. For crypto firms operating globally, the era of regulatory arbitrage is rapidly closing, replaced by an environment where compliance is not just a legal obligation but a competitive advantage.
Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Cryptocurrency investments carry inherent risks, and readers should consult qualified professionals before making investment decisions.
casps surging 2.5x in two years while compliance infrastructure lagged behind is exactly the pattern regulators flag in every emerging industry. not unique to crypto but the speed makes it worse.
70 percent of authorities reporting rising aml risks is a staggering number. the eba is not mincing words here.
criminals leveraging ai for automated laundering and document forgery means compliance teams are fighting algorithms with algorithms now. the arms race is real.
the eba publishing this while mica is still being implemented across the eu creates a tension. new rules are coming but the watchdog is saying existing gaps are already being exploited.