The European Banking Authority’s (EBA) has launched its 2025 Opinion on money laundering and terrorist financing risks affecting the EU’s financial sector. The report highlights a pressing concern around RegTech that “poor implementation hampers potential for better controls”1.
While EBA acknowledges the significant potential RegTech solutions offer, they point out that effective implementation is jeopardized by inadequate in-house expertise, poor governance and insufficient oversight. 60% of the material AML/CFT weaknesses reported by competent national authorities to EBA during 2023 and 2024 relate to issues involving RegTech technologies, systems and tools.
Unintended Risks from Automation
EBA finds that outsourcing, automation without oversight and a lack of in-house skills are the top AML/CTF risks associated with RegTech. More than half of the competent authorities (CAs) identify outsourcing RegTech as a significant risk, noting that financial institutions may lack adequate oversight of large-scale service arrangements.
Automation, when applied without robust controls, also exposes organizations to substantial risk. Almost half of CAs describe the risks from automated solutions not properly monitored as significant. This lack of challenge and oversight especially in key areas such as onboarding, due diligence, transaction monitoring and name screening can critically undermine regulatory compliance and raise systemic vulnerability.
Additionally, 36% of CAs highlight a deficit of internal skills and experience, hampering organizations’ ability to govern RegTech systems effectively. Heavy reliance on standardized solutions (“concentration risk”) by many supervised entities compounds the thread, especially where these tools are not adapted to the specific risk profiles or needs of individual firms.
Getting RegTech Right: The Governance Imperative
The EBA underscores that technology alone does not ensure compliance: Risk-based oversight, tested controls, transparency and explainability of RegTech systems are all essential. Institutions that “set and forget” these solutions and fail to tailor them to operational realities undermine their own defences against AML/CTF vulnerabilities.
AI: The Catch-up Race Has Begun
At the same time, AI is changing the game. The report refers to observations how criminals increasingly use AI technologies for fraudulent account opening and account takeover. Criminal networks use AI to automate financial schemes, conceal fund sources and make high-risk transactions harder to detect. The report refers to cases where such networks bypass standard remote identity verification measures with criminals impersonating real individuals, using false identities, or relying on ‘money mules’ – legitimate customers who transfer control of their accounts for the purpose of laundering illicit funds leveraging AI and deep-fake technology.
To defend themselves against such attacks, banks need equivalent technologies. However, as our study “AI in Compliance”2 demonstrated, banks face significant challenges in understanding AI technologies and finding qualified personnel to develop, integrate and effectively monitor AI.
How Synpulse Helps Clients Overcome These Risks
With nearly 30 years of experience in advising financial institutions on new technologies, we understand the challenges banks face when implementing RegTech and creating value for customers, employees and shareholders. We support our clients in the:
- Assessment of the fit and appropriateness of RegTech solutions relative to each organization’s risk environment, business model and compliance obligations
- In-house development or adaptation and integration of external RegTech solutions (including AI-supported systems) into the company's control frameworks (in this case: AML/CTF-program) and the IT architecture
- Development of in-house expertise through tailored training and change management
- Establishment of robust governance standards and effective oversight of technology – and, in the case of external RegTech solutions, outsourcing providers – to meet audit and regulatory expectations
Featured: Practice Guide to AI Governance and Risk Management
Synpulse’s “Practice Guide to AI Governance and Risk Management”3 provides best practices and practical tips for deploying RegTech and AI solutions in compliance processes. Key elements include:
- An AI strategy that balances the expected benefits, costs and risks, sets out strategic objectives and defines the AI operating model
- A risk assessment and tolerance as basis for setting AI risk management measures
- Clarity on risk ownership, transparency and explainability in algorithmic decision-making
- Regular review of AI/RegTech effectiveness, controls and mitigation strategies with model-, data, cyber- and third-party risk management at the centre
Synpulse supports you in introducing AI and RegTech solutions for effective risk management (here: ML/TF risks) without opening new avenues to unknown risks.
[1] Opinion and Report on ML TF risks.pdf
[2] Landmark Study on AI in Compliance Reveals Banks Take a… | Synpulse
