Skip to content

Featured Search

Regtech gone wrong? What the EBA AML report reveals about controls failures.

Tags

In an era of accelerating regulatory pressure, compliance technology has become a default investment for financial institutions. The logic is compelling: automate manual processes, monitor threats in real time, and keep up with ever-evolving obligations.

But as the European Banking Authority’s 2025 Opinion on Money Laundering and Terrorist Financing (ML/TF) Risks[1] makes clear, technology alone isn’t delivering the protection firms expect. In fact, for many, it’s doing the opposite. . And while the EBA focuses on firms in the EU, the lessons are important in the U.S. as well.

Rather than reducing risk, poorly implemented regtech solutions are introducing new vulnerabilities. Tools are being deployed faster than governance can catch up. Controls are left untested, unmapped, and misunderstood. And firms that believed compliance could be automated are finding themselves exposed.

"Controls are the backbone of any risk management strategy – they’re what stand between you and the risks that can derail your business." – David Tattam, GRC Thought Leader, Protecht

Want to build a control framework that protects your organization, not just your audit trail? Download our Controls Management eBook:

Find out more

The compliance tech illusion

Over the past decade, financial institutions have poured money into compliance technology. The promise was clear: reduce manual effort, stay ahead of regulatory change, and prevent major breaches. From transaction monitoring to automated testing and real-time alerts, regtech seemed like the smart solution to a growing problem.

But according to the EBA’s report, the gap between perception and reality is widening. Far from solving the problem, digital tools are creating new vulnerabilities, especially in sectors where compliance maturity is still catching up with innovation.

The report paints a sobering picture of the current landscape:

  • 70% of supervisors see money laundering and terrorism financing risks rising in the EU financial sector
  • Fintechs and payment institutions are particularly exposed, often prioritizing rapid growth over sustainable compliance
  • Crypto-asset providers, emboldened by regulatory arbitrage, continue to operate without effective AML/CFT controls

Yet perhaps the most striking finding involves regtech itself. Despite its potential to enhance oversight, the EBA warns that careless adoption is introducing risk rather than reducing it:

“Implementation of regtech solutions is hampered by inadequate in-house expertise, poor governance and insufficient oversight.” — EBA, 2025

For many firms, regtech was supposed to be the answer. But without the right governance and controls, it’s just another vulnerability.

The problem: regtech ≠ instant compliance

The EBA’s report confirms what risk professionals have long suspected: you can’t outsource understanding.

Too often, compliance tools are implemented as a quick fix: something to satisfy auditors, win funding, or check a box. But the tools themselves aren’t the problem. It’s the assumptions that surround them.

Here’s what the EBA is really flagging:

  • “Off-the-shelf” platforms that don’t reflect business-specific risks: These may look impressive in a sales demo, but they fail to address the nuances of real-world operations.
  • Over-reliance on a handful of vendors: Without internal subject matter expertise, organizations can’t validate the outputs or detect when the tool is offering false assurance.
  • Poor integration and oversight: In many cases, regtech is layered on top of existing silos, with no effort to connect it to broader risk and control frameworks.

What results is a compliance program that appears robust on the surface but collapses under scrutiny. The EBA makes it clear: technology without governance can do more harm than good.

And when regulators come calling, no tech vendor can be held accountable for your organization’s failure to understand its own risks.

The risk governance gap

The root issue isn’t just bad software or rushed procurement. It’s a deeper governance failure: one that runs through controls, testing, ownership, and visibility.

Poor regtech outcomes almost always trace back to a controls environment that’s fragmented and reactive. That includes:

  • Disconnected or duplicative controls scattered across spreadsheets, platforms, or business units
  • Unclear ownership of key risk mitigation activities, leading to gaps in testing and follow-up
  • Lack of visibility into which risks are covered and which are dangerously exposed

The result is an illusion of control. Technology provides dashboards, alerts, and workflows, but no one can say with confidence that the right risks are being mitigated, or that the controls in place are doing their job.

Controls don’t exist in a vacuum. They must be mapped to specific risks, assigned to people with clear accountability, tested regularly, and adjusted as the environment changes. Without that structure, no amount of technology will make a compliance program resilient.

What good looks like: expert-led, data-driven controls

The EBA’s Opinion doesn’t just diagnose a problem, it implies a standard. Successful compliance programs are expert-led, context-aware, and embedded across the organization.

That means moving away from black-box automation and towards structured, connected, and transparent controls management.

A modern approach should:

  • Provide a single source of truth for controls, risks, obligations, and incidents
  • Enable clear ownership and scheduling, with built-in workflows for assessment and testing
  • Support real-time reporting and oversight, giving leaders the assurance they need
  • Embed compliance into day-to-day operations, not just the audit function
  • Adapt to both external frameworks and internal realities

In short, “fit-for-purpose” regtech means more than ticking a feature list. It means understanding both the regulation and your organization and having a system that connects the two.

Managing controls with confidence

Protecht ERM was designed with one belief in mind: compliance isn’t about box-ticking, it’s about understanding, evidence, and action.

Our platform gives you:

  • A unified controls library, structured and customizable to your needs
  • Streamlined control testing with automated scheduling, evidence collection, and analytics
  • Seamless integration with regulatory and compliance frameworks
  • Real-time visibility into how controls support compliance, risk reduction, and resilience
  • Expert-designed forms, dashboards, and workflows that mature your program over time

And because it's built by risk professionals for risk professionals, it’s not just about software, it’s about supporting the people who make it work.

Conclusions and next steps for your organization

The EBA’s message is clear: regulators will no longer accept surface-level compliance. And as threats from AI, crypto, and sanctions continue to evolve, the cost of failure will only grow.

Now is the time to rethink your approach. Not just to technology, but to governance, accountability, and the role of controls in managing risk.

Ready to move beyond checkbox compliance? Request a demo of Protecht ERM and see how controls management can support your compliance, reduce risk, and build confidence:

Find out more

References

[1] European Banking Authority (2025): Opinion on money laundering and terrorist financing risks affecting the EU’s financial sector. https://www.eba.europa.eu/eba-opinion-ml-tf-risks-2025
Back to list

About the author

Gary has over 10 years’ experience consulting and providing advisory services to a wide range of clients both locally and overseas. He has a MSc in Finance and Capital Markets. Prior to Protecht, Gary spent time with three global banks consulting on risk and strategic change. He started his career in Risk Advisory at KPMG.

You may also like