EU sees ‘crypto,’ AI as risks for money laundering, terrorism

The European Union’s (EU) top standards-setting body for the banking sector gave its updated opinion on money laundering and terrorism financing risks, warning that digital assets remain a high-risk sector while abuse of artificial intelligence (AI) is increasing.

On July 28, the European Banking Authority (EBA), the EU agency tasked with implementing rules to regulate and supervise banking across the 27-nation bloc, published its 2025 Opinion on the money laundering and terrorist financing (ML/TF) risks affecting the EU’s financial sector.

In it, the EBA noted a 2.5-fold increase in authorized crypto-asset service providers (CASPs) between 2022 and 2024, and that many of these CASPs “lack effective AML/CFT systems, and some attempt to bypass regulatory oversight.”

The agency also underscored the growing risk of fraud by AI, with criminals increasingly using AI to automate laundering schemes, forge documents, and evade detection. The EBA voiced concerns that financial institutions “struggle to keep pace with these sophisticated threats,” and emphasized the need for responsible AI use and robust monitoring.

“Since the EBA’s fourth Opinion on ML/TF risks was published in 2023, the financial sector has faced a dynamic and increasingly complex ML/TF risk landscape,” said the report. “The rapid evolution of financial technologies and new financial products such as crypto assets, and the growing interconnection of financial products and services across sectors, have introduced new vulnerabilities.”

The ‘Opinion Report’ was based on data from January 2022 to December 2024, including the responses of 52 anti-money laundering/counter financing of terrorism (AML/CFT) ‘competent authorities’ (CAs)—the relevant national regulators of EU nations—to a risk assessment questionnaire.

The EBA has been issuing opinions on ML/TF risk every two years since 2017. The July 28 report is the fifth and focuses on the risk landscape shaped by rapid technological innovation, regulatory reform, and shifting criminal behaviors, including FinTech, RegTech, and AI.

Unthinking use of regulation technology

Regarding RegTech, or regulation technology, the EBA said, on the plus side, that it can “help streamline workflows, create dynamic risk profiles and enable institutions to manage large data volumes efficiently.” It added that it also “offers the potential for institutions to share data safely and securely.”

The agency’s survey found that 29% of CAs identified good RegTech practices. However, half of all CAs surveyed also identified ML/TF risks associated with using RegTech solutions, and 15% considered that the risks had increased.

The EBA blamed this unfortunate statistic on the “unthinking” use of RegTech. Specifically, the three most significant risks were outsourcing, automation without effective monitoring, and lack of in-house skills and experience.

Another core area of concern for the EBA was digital assets, with the increased interconnectedness of traditional financial services providers with innovative financial services providers, such as CASPs, being of “particular concern.”

Digital currency risk remains

It was the opinion of the EBA that the abuse of digital asset services for financial crime remains a key concern, a problem compounded by a surge in transaction volumes and an increase in the number of authorized CASPs in the EU.

“Between 2022 and 2024, the number of licensed or registered CASPs has multiplied by 2.5 to reach 2,525 at the end of 2024, as has the volume and average value of crypto transactions,” noted the report.

As a result, 17% of CAs considered that digital asset-related risks had increased in 2024, compared to the risks identified in 2023, while 7% considered it had decreased—the remaining percentage was split 30% “still not a risk” and 46% “risk remains consistent.”

Moreover, CAs found that CASPs “often lacked effective AML/CFT systems and controls,” which the EBA said reflected “a gap between regulatory expectations, legal obligations and actual practice.”

This appears at first look a worrying assessment, however, when considering these stats and comments, it’s worth keeping in mind that the full provisions of the EU’s Markets in Crypto Asset (MiCA) regulations related to CASPs did not come into force until the end of December 2024. Thus, the changed regulatory landscape of the EU since then may make the following EBA opinion report look quite different.

This was not lost on the EBA, which noted that the effective and consistent application of MiCA’s “enhanced supervisory coordination and enforcement” could address the lack of robust AML/CFT controls in the sector.

In terms of specific concerns, a major one noted by the report was that CASPs and the providers of other financial services are increasingly interlinked, particularly in the credit institutions, payment institutions, and e-money institutions sectors.

In May 2023, the European Systemic Risk Board (ESRB) declared that “the crypto market has few interlinkages with the traditional financial sector and the real economy, and none of those links are currently significant.” Meanwhile, in October 2024, the Financial Stability Board (FSB) noted that digital assets “remain a small portion of global financial assets,” thus, the risk of infection spreading from the sector is low.

A potentially more problematic finding in the EBA opinion report was that CAs highlighted a rise in fraud targeting investors in digital assets, notably ‘rug pull scams,’ where fake tokens lure investors before the creators vanish with the funds. Another concern related to the issuing of digital assets to raise funds, such as unregulated token sales via decentralized platforms, which can also lead to fraud and regulatory breaches.

The report also noted that investigations by law enforcement authorities across EU member states showed that digital assets continue to be used as a means of transfer for terrorism financing.

However, in a departure from previous opinion reports, the EBA noted that Europol, the EU law enforcement agency, had observed an increasing shift away from the prevalent use of Bitcoins towards the use of stablecoins. This tracks with a June update from the Financial Action Task Force (FATF) that stated “the use of stablecoins by various illicit actors, including Democratic People’s Republic of Korea (DPRK) actors, terrorist financiers, and drug traffickers, has continued to increase since the 2024.”

In addressing some of these issues and risks, the EBA underscored the need for strong due diligence, ongoing oversight, and clear regulatory frameworks.

In this regards, it noted that the complete MiCA regulatory framework applied from the end of 2024 and introduced four key AML/CFT rules for CASPs: CASPs must be authorized by an EU competent authority; CASPs and issuers of e-money tokens (stablecoins) have to ensure compliance with the EU’s AML/CFT rules; issuers must ensure that they, and the sector, are not exposed to serious ML/TF risks and that they don’t facilitate financial crime; and CASPs are required to include specific information on the originator and beneficiary of digital asset transfers, to make them more traceable.

The EBA has also issued several “regulatory instruments” to institutions and their supervisors that specify how the new rules should be applied at market entry and throughout the life cycle of a CASP or stablecoin, including guidelines on internal governance arrangements, redemption, ML/TF risk factors, and the authorization process.

However, digital assets weren’t the only innovative technology under the microscope in the report; AI was also pinpointed as an area of growing concern.

Automation and AI fueling increasingly sophisticated schemes

According to the EBA, criminals use AI for money laundering to automate financial schemes, conceal fund sources, and make high-risk transactions harder to detect. Perpetrators also abuse AI to generate fake documents, simulate legitimate operations, and use deepfake technologies to evade customer due diligence measures.

“Financial institutions face challenges in detecting sophisticated AI-driven attacks that are increasing in both volume and velocity,” said the report. “Addressing these threats will require advanced technologies and specialised expertise.”

In the credit providers sector, for example, CAs observed a high level of use of falsified ID cards to open new payment accounts and acquire credit, especially with online platforms.

“The scale, diversity and sophistication of fraudulent activities are previously unseen, driven by advancements in automation and AI,” warned the EBA. “These schemes leverage AI to create highly realistic narratives that incorporate trending societal topics, making them increasingly convincing.”

In its opinion, the EBA emphasized the need for responsible AI deployment, supported by robust governance, staff training, and real-time monitoring capabilities.

“Institutions must remain vigilant and adaptive in this evolving threat landscape,” added the agency.

General findings and opinions

More generally, the EBA noted that 70% of competent authorities reported high or rising ML/TF risks in the financial sector, which they attribute in part to weak AML/CFT controls, as well as poor governance, with firms apparently prioritising growth over compliance.

Overall, the opinion of the EBA was that, as things stand, innovative technology in financing represents a net increase in risk:

“While innovation can help make the fight against financial crime more streamlined and effective, the EBA’s findings suggest that the sector’s drive for innovation and growth may be outpacing its ability to manage ML/TF risks, with firms in the credit institutions, payment institutions and e-money sectors particularly exposed.”

When meeting this challenge, the EBA pointed again to its new guidelines, applicable from the end of 2025, which aim to harmonize standards across the EU banking and finance sector.

This includes guidance on ML/TF risk assessments, requirements on transfering of funds and certain digital assets (the EU ‘travel rule’), and compliance with enhanced customer due diligence provisions related to high-risk third countries.

In order for artificial intelligence (AI) to work right within the law and thrive in the face of growing challenges, it needs to integrate an enterprise blockchain system that ensures data input quality and ownership—allowing it to keep data safe while also guaranteeing the immutability of data. Check out CoinGeek’s coverage on this emerging tech to learn more why Enterprise blockchain will be the backbone of AI.

Watch: Demonstrating the potential of blockchain’s fusion with AI