Exposing the Risk in RegTech: The EBA’s Warning and What Comes Next
The European Banking Authority’s (EBA) latest Opinion on money laundering and terrorist financing (ML/TF) risks is a pointed reminder that regulatory technology, however sophisticated, does not make up for poor methodology. While the sector races to digitise compliance and embrace automation, the EBA delivers a sobering verdict: the improper use of RegTech is now a material ML/TF risk in its own right.
This is not a fringe concern. More than half of the serious compliance failings reported to the EBA’s EuReCA database during 2023–2024 involved RegTech that had been poorly implemented or inadequately governed. The issue is not that firms are using technology, it is that they are deploying it without a firm understanding of the risks they are trying to manage, or the controls they need to mitigate them.
For us, the findings reinforce a principle that underpins our approach to financial crime business-wide risk assessment (BWRA): automation without insight is a dangerous shortcut.
A Familiar Pattern: Tools Without Foundations
The EBA identifies three core vulnerabilities behind the rise in RegTech-related failures:
Over-reliance on outsourced tools, often from a small pool of providers, without proper oversight or customisation.
Automation without safeguards, including systems that are not tested, validated, or explainable.
Insufficient in-house expertise, leading to weak governance and an inability to challenge or adapt the tools in use.
These failures point to a broader issue: the digitisation of compliance processes that were already flawed. Many organisations are simply replicating spreadsheet logic in new platforms or rushing to buy RegTech to “solve” the BWRA requirement, without first asking whether their existing methodology actually reflects their exposure to criminal exploitation.
As the EBA puts it, this is not responsible innovation. As we have said previously, this is compliance theatre, now digitised.
The Missing Layer: Understanding Actual Risk Exposure
The BWRA is supposed to tell you where your exposures lie, what controls you have in place, and whether those controls are sufficient. But this only works if you’re asking the right questions at the outset.
Too often, firms default to generic assessments: customer risk, product risk, delivery channel risk. These categories may be useful for structuring regulatory data, but they are not, in themselves, analytical. A risk will never fit within one of these categories: Risks are complicated and multi-faceted. Furthermore, these categories do not tell you how a risk manifests, what events could occur, or which controls would need to intervene.
This is the blind spot at the heart of many BWRA tools and approaches. And it is why our alternative approach starts with risk events, defined scenarios that describe how money laundering, terrorist financing, or sanctions evasion could actually occur in the context of your firm’s business model.
Each event becomes the anchor point for:
Mapping specific preventive, detective, and corrective controls;
Assessing whether those controls are present, implemented, and effective;
Measuring residual risk in a way that reflects real exposure—not just regulatory expectation.
Only once this risk-control relationship is established does it make sense to automate. Otherwise, RegTech becomes a tool for enforcing false comfort.
Lessons from the EBA: A Clear Case for Methodology-Led Technology
The EBA’s warning is clear: RegTech must be driven by good governance and better data, not vendor hype. In the context of BWRA, we believe this means:
Start with risk, not form-filling
The primary function of a risk assessment is insight, not evidence of compliance. The latter should follow naturally from the former. If your BWRA does not help you understand your vulnerabilities, it is not worth automating.
Map controls to risk events, not categories
Controls can only be tested if their objective is clearly defined. Grouping them under general headings like “Customer Due Diligence” or “Monitoring” obscures their individual role in managing specific risks.
Test for effectiveness, not just existence
The EBA highlights that many RegTech tools fail not because they don’t work, but because they are applied inappropriately or go unchallenged. Effectiveness is not a technical feature; it is a performance outcome.
Avoid one-size-fits-none solutions
The use of generic, off-the-shelf tools is a growing systemic risk. Tools should reflect your firm’s business model, risk appetite, and operational structure. Anything less invites regulatory attention, and operational failure.
This Is Not a Call to Slow Down. It’s a Call to Go Deeper.
The financial crime threat landscape is evolving rapidly, from AI-enabled fraud to sanctions evasion via instant payments. RegTech can and should be part of the solution. But it must be built on a meaningful understanding of the threats we face and the mechanisms we use to defend against them.
We are not anti-technology. We are anti-unthinking-technology. The real innovation lies not in the digitisation of today’s BWRA processes, but in the redesign of the underlying approach. Our focus, before thinking about the product, has been to get the methodology right.
That means:
Structuring risk around the events that matter.
Linking those risks to discrete controls.
Prioritising testing and performance over paperwork.
And aligning the BWRA with national threat intelligence, sectoral typologies, and operational data, not just internal spreadsheets.
With this foundation in place, RegTech can finally do what it promises: make financial crime risk assessment faster, clearer, and more effective.
What Comes Next
The EBA has laid out the challenge. Now it’s time for the sector to respond. That response must begin with a change in mindset. We don’t just need better tools, we need better thinking. And we need to treat risk assessment not as a compliance burden, but as a core capability.
Our methodology is designed to enable exactly that. If you're re-evaluating your BWRA approach, or if you’re wondering whether your current RegTech setup is delivering insight or just automation, let’s talk.
We’re currently working with early partners ahead of our formal launch later this year. If you’d like to be part of that dialogue, we’d welcome the conversation.