These guidelines signal a clear direction: the days of procedural AML programs are over. Regulators now expect institutions to demonstrate active control, transparent reporting, and verifiable data quality — in short, a compliance culture built on intelligence and accountability.
The purpose of the EBA guidelines
The EBA’s financial crime risk framework aims to bring consistency to how institutions interpret and apply anti-money laundering (AML) and counter-terrorist financing (CTF) requirements. It provides a shared regulatory language for supervisors and firms, helping both measure risk in a comparable way across all EU member states.
The guidelines require financial institutions to:
- Identify and classify risk more accurately based on operational data.
- Apply mitigation measures proportionate to each customer’s exposure.
- Exchange intelligence securely with other institutions and authorities.
- Embed compliance into digital processes under AMLD6, DORA, and GDPR.
This focus on harmonization and accountability is the EBA’s response to the patchwork enforcement that previously allowed financial crime to slip through jurisdictional cracks.
Core expectations under the EBA framework
The EBA expects institutions to go beyond minimum compliance and show how their controls adapt dynamically to evolving threats. In practice, this translates to five key principles that define supervisory expectations:
- Apply risk-based approaches
Risk assessment must be continuous and context-driven, not static. Institutions should differentiate between low- and high-risk customers, products, and geographies rather than applying a uniform checklist.
- Maintain continuous monitoring
Detection tools must run in real time, flagging anomalies and potential suspicious activity automatically. This aligns with the logic of Suspicious Activity Monitoring, where patterns, not individual transactions, reveal risk.
- Integrate financial crime and fraud risk
The EBA recognizes that financial crime and operational risk are now inseparable. Under DORA, institutions must demonstrate that compliance systems remain resilient against fraud, cyberattacks, and process failure.
- Demonstrate data integrity and traceability
All compliance data must be reliable, consistent, and auditable. Supervisors now expect firms to provide evidence of how data moves through AML, fraud, and CDD systems.
- Strengthen governance and accountability
Boards and executive management are explicitly responsible for financial crime compliance. The EBA expects oversight at the highest level — with clear escalation procedures and ownership of risk outcomes.
Together, these expectations define the EBA’s shift from compliance on paper to compliance in action.
Supervisory approach
The EBA’s supervisory framework is built on a cycle of continuous assessment. National competent authorities use these guidelines to evaluate how well each institution identifies, manages, and mitigates financial crime risk in practice.
Supervisors assess several dimensions of compliance, including:
- Risk identification and classification models – Are they data-driven and updated regularly?
- Effectiveness of Customer Due Diligence (CDD) – Do onboarding and ongoing monitoring processes match customer risk levels?
- Transaction monitoring and SAR quality – Are alerts and reports timely, relevant, and accurate?
- Cross-border information sharing – Is intelligence exchange consistent and secure across jurisdictions?
- Operational resilience – Are the systems supporting AML and fraud monitoring reliable under stress, as required by DORA?
This outcome-based model means regulators focus less on whether a firm has procedures in place and more on whether those procedures work.
Regulatory alignment across Europe
The EBA guidelines ensure that all EU member states apply the same regulatory logic. They are closely aligned with both FATF Recommendations and the EU’s Sixth AML Directive (AMLD6), creating a seamless compliance architecture across Europe.
The EBA coordinates its work with the European Commission, European Central Bank (ECB), and national regulators to eliminate inconsistencies between countries and sectors — from retail banks to fintech startups.
This alignment also extends to
PSD2 and
DORA, reinforcing that financial crime compliance, fraud prevention, and digital resilience must now be managed as one integrated risk domain.
Challenges in EBA guideline compliance
While the guidelines set a clear standard, many institutions still struggle to meet it effectively. According to the
Deloitte EU Financial Crime Risk Report 2024, fewer than half of surveyed financial institutions believe their compliance systems can adapt quickly to regulatory change.
Common challenges include:
- Inconsistent interpretation of risk-based principles – Supervisors apply different thresholds for what “proportionate” mitigation looks like.
- Fragmented data ecosystems – Compliance, fraud, and customer systems are often siloed, limiting visibility.
- Privacy constraints – Data protection laws such as GDPR restrict how intelligence can be shared, even with regulators.
- Resource imbalance – Mid-sized and regional institutions face the same obligations as large multinationals but with fewer resources.
These challenges are leading many institutions to explore privacy-preserving collaboration technologies that allow them to meet EBA expectations without breaching privacy rules.
“The EBA has made it clear that compliance cannot remain a procedural exercise. Institutions must prove that their systems can detect and respond to financial crime risk dynamically, not just document policies.”
- William Morris, Lead Enterprise Account Executive - UK
This insight captures the reality that the EBA’s focus is no longer on checklists — it’s on measurable performance and data-driven governance.
How the EBA connects with other regulations
The EBA’s guidelines are interdependent with the broader European regulatory landscape:
- AMLD6 and AMLD5 establish the legal base for anti-money laundering obligations.
- PSD2 extends oversight into digital payments and open banking environments.
- DORA ensures operational resilience across critical compliance infrastructure.
- FATF Recommendations provide the global reference point for AML and CTF standards.
Together, they define how Europe’s financial system must function: secure, transparent, and capable of managing risk intelligently.
Partisia’s perspective
The EBA’s vision depends on collaboration and data visibility — two goals often limited by privacy constraints. Partisia’s privacy-preserving data collaboration technology resolves this conflict.
By using Multi-Party Computation (MPC), institutions can:
- Jointly analyze risk data without sharing raw information.
- Collaborate with regulators, FIUs, and counterparties securely.
- Prove AML and fraud risk compliance through verifiable, privacy-safe computation.
This approach aligns with the EBA’s own goal: enabling effective, measurable compliance through innovation that protects both integrity and confidentiality.