BRUSSELS — Inadequate customer due diligence and flawed know-your-customer (KYC) procedures have emerged as the most persistent vulnerabilities in European banks’ anti-money laundering (AML) defences, according to the European Union’s Anti-Money Laundering Authority (AMLA).
The authority’s 2025 annual report, published this week, reveals that seven out of ten supervisory filings across the bloc identified deficiencies in how financial institutions understand and profile the risk attributes of their clients. The findings underscore the centrality of KYC breakdowns in enabling illicit fund flows and highlight the challenges AMLA will face as it assumes direct supervisory powers over high-risk cross-border institutions in 2026.
AMLA’s 2025 Report: Customer Risk Profiling at the Core of Weaknesses
AMLA’s assessment draws on data submitted by national competent authorities (NCAs) throughout the EU and EEA, offering the most comprehensive snapshot to date of systemic AML/CFT (countering the financing of terrorism) deficiencies in the banking sector.
The report identifies customer risk profiling as the single most common weakness cited by supervisors. Failures in this area typically manifest as:
- Insufficient or outdated customer information at onboarding
- Inadequate verification of beneficial ownership structures
- Poor ongoing monitoring of transaction patterns against declared business activity
- Weak escalation procedures when risk indicators change
“Failing to profile customers correctly is the main weakness in financial institutions’ money laundering frameworks,” the report states, adding that these gaps were present in 70% of the compliance weakness reports filed by national supervisors.
The authority warns that such deficiencies undermine the effectiveness of downstream controls, including transaction monitoring systems and suspicious transaction reporting (STR) mechanisms.
Broader Context: AML Supervision Improving, but Implementation Gaps Persist
The AMLA findings come as the European Banking Authority (EBA) separately concluded that AML/CFT supervision across the EU has improved markedly over the past six years, with most NCAs now adopting more risk-based, proactive approaches.
However, the EBA’s 2025 final report on national supervisory practices also flagged uneven implementation, resource constraints, and inconsistent cooperation between prudential and AML supervisors as ongoing risks. These gaps are expected to test AMLA’s协调能力 as it transitions from an advisory body to a direct supervisor of selected high-risk institutions under the EU’s new AML package.
The authority’s 2025 opinion on ML/TF risks further highlighted emerging threats from FinTechs, crypto-asset service providers (CASPs), and the misuse of RegTech tools, noting that more than half of serious compliance failures reported to the EBA’s EuReCA database involved improper implementation of automated compliance technologies.
Enforcement Trends: KYC and CDD Failures Drive Record Fines
Recent enforcement actions corroborate AMLA’s assessment. In June 2026, Sweden’s Finansinspektionen imposed a SEK 140 million (£11.2 million) penalty on Ikano Bank for enhanced due diligence (EDD) failures, including inadequate verification of high-risk customers and insufficient source-of-wealth documentation.
Similarly, Germany’s BaFin fined Varengold Bank €3.3 million for weak AML controls and delayed STRs, while Sutor Bank received a €702,500 penalty for systemic KYC and customer due diligence (CDD) breakdowns. In Italy, Qonto’s local entity Olinda was sanctioned €390,000 for KYC/CDD, STR, and record-keeping deficiencies.
In the UK—though outside the EU—parallels are evident. Barclays was hit with a £42 million fine in 2025 for weak financial crime controls, while Monzo Bank received a £1.5 million penalty for deficiencies in transaction monitoring and onboarding.
Structural Bottlenecks: Data, Technology, and the 2027 Deadline
A separate PwC survey of over 500 financial institutions across 40 countries found that only around one-third of European banks expect to be ready for the EU’s new AML package by the July 2027 deadline, with customer due diligence cited as the central operational bottleneck.
The research highlighted:
- Data quality as the biggest barrier to deploying advanced analytics and AI-driven monitoring tools
- 40% of firms concerned that CDD requirements are “overly rules-based,” limiting risk-based flexibility
- 61% of banks planning new investments in transaction monitoring systems, though adoption remains uneven
Meanwhile, 87% of institutional investors said they have declined or reconsidered fund commitments due to AML/KYC concerns, signalling growing market sensitivity to compliance standards.
AMLA’s Expanding Mandate and the Road Ahead
Established in 2024, AMLA became operational in Frankfurt in 2025 and is set to begin direct supervision of up to 40 high-risk cross-border financial institutions in 2026. The authority’s 2025 report serves both as a diagnostic tool and a strategic roadmap, identifying priority areas for supervisory focus and technical assistance.
Key priorities outlined in the report include:
- Harmonising CDD standards across member states under the single EU AML rulebook
- Strengthening guidance on beneficial ownership verification and Politically Exposed Persons (PEP) screening
- Enhancing coordination between AML and prudential supervisors to close information gaps
- Supporting NCAs in scaling RegTech and AI tools responsibly, with robust governance frameworks
The authority also emphasised the need for financial institutions to move beyond “checkbox compliance” toward genuine risk-based frameworks that adapt to evolving typologies, including AI-enabled fraud and sanctions evasion.eba.
Industry Reaction and Next Steps
Industry bodies have welcomed AMLA’s findings while calling for greater clarity on implementation timelines and technical standards. Many firms point to the complexity of aligning legacy systems with new data and reporting requirements as a major hurdle.
AMLA’s 2025 annual report will feed into ongoing consultations on the EU’s AML package, including proposed amendments to the Implementing Technical Standards (ITS) on benchmarking and market risk, which run until September 2026.
With enforcement activity intensifying and the 2027 implementation deadline approaching, European banks face mounting pressure to overhaul KYC and CDD processes—or risk significant financial and reputational consequences.