Crime control, digitalisation and cyberrisks of EU banks in report by the EBA

In December the European Banking Authority (EBA) published its Risk Assessment Report for 2022. The report describes the main developments of and trends in the European banking sector between June 2021 and June 2022 and provides EBA’s outlook on the main risks and vulnerabilities. These risks and vulnerabilities include anti-money laundering (AML), countering the financing of terrorism (CFT), compliance with sanctions regulations and cybersecurity. The digitalisation trends at banks are interesting also.

Crime control

Paragraph 6.3. deals with financial crime risks and describes the describes the externalisation of government functions to banks in the known manner (‘ML’ = money laundering, ‘TF’ = terrorist financing):

A high number of cases of ML involving European banks in recent years caused substantial reputational damage to banks. Several banks were also subject to costly enforcement action in respect of their AML/CFT systems and controls failures. ML/TF undermines the integrity of the EU/EEA banking sector. In the prevention of ML/TF, banks have an important gate-keeper role.

EBA urges harmonisation of AML/CFT regulations:

Differences in the implementation and enforcement of the AML Directive have made the EU’s financial sector vulnerable to ML/ TF. In response, the Commission published in July 2021 a proposal for fundamental legal and institutional reforms of the EU’s AML/CFT framework.

This underlines that the desire for harmonisation comes from the financial sector [1]. Banks seem to have less interest in AML/CFT, EBA remarkably writes:

The focus on ML/TF risk is decreasing
From an operational risk perspective, banks appear to attribute less significance to ML/ TF risk than to other operational risk aspects. (…) It could, for example, be related to banks taking comfort from significant investments into AML/CFT compliance frameworks, and subsequently, to banks considering that these investments have helped them to better identify and manage ML/TF risks they are exposed to. It could also be related to perceptions that breaches of AML/CFT obligations are more of a legal or regulatory nature, rather than purely operational.
A possible underestimation of ML/TF risks may be reflected in perceptions on how related risk exposure might affect specific business lines, such as corporate finance and asset management in the next 6 to 12 months. A large majority of RAQ respondents does not anticipate that ML/TF risk will have a short-term impact on any specific business lines. (…) Furthermore, it needs to be added that indications are that supervisors do not seem to think that ML/ TF risk has decreased significantly, or that banks are significantly better at managing that risk.

Some attention is paid to de-risking, though the position of SMEs seems to be out of focus. The suggestion is made it only harms consumers, e.g. in:

It is important that compliance with obligations relating to restrictive measures does not lead to the financial exclusion of legitimate, vulnerable customers such as refugees

Analysing clients and transactions

The report shows that banks are increasingly using digital means for monitoring and analysing their clients. More information is found in box 12 on page 88, on digitalisation trends at banks:

The trend of continuous increase in the use of artificial intelligence (AI) solutions (including machine learning and natural language processing (NLP) observed since 2018 is continuing. 83% of RAQ respondents reported that they already use AI (including machine learning and NLP), and an additional 12% are either pilot testing or developing AI systems. The use of cloud computing 83 , likely driven by a need to support the adoption of AI/machine learning solutions, has also increased. 85% of RAQ respondents reported it to be in use, up from 71% in 2021 (Figure 91). The change in the use of other monitored financial technologies has been less pronounced. The new data collected on the use of application programming interfaces (APIs) and quantum computing indicate that almost all banks (95%) are already using APIs, while the use of quantum computing is at a very early stage – 3% of banks reported it in use, additional 7% in pilot testing (Figure 91).

The use of AI applications by banks is becoming increasingly popular, and as stated above, around 95% of banks responding to the RAQ are using or developing AI/machine learning approaches for various use cases. Amongst them, the most common use cases of AI/machine learning are i) fraud detection (82%), ii) AML/CFT purposes (80%), iii) creditworthiness assessment or credit scoring (80%), or iv) profiling/clustering of clients or transactions (77%; Figure 92). Other popular AI applications relate to real-time monitoring of payments, risk modelling, including regulatory credit risk modelling, or conduct risk monitoring. RAQ responses therefore show that the use of AI/machine learning by banks is rising, with increasing diversity regarding the scope of services and processes where AI/machine learning solutions are deployed (Figure 92)

In addition to these observations, the AI methods and approaches used by banks appear to be increasingly diverse and complex. For example, while the most reported approaches are decision trees (83% of responding banks use it for at least one of the use cases) and regression analysis (80%), other approaches are also increasingly used by banks, in particular NLP (67%) and neural networks (60%) (Figure 93).

( 83 ) The autumn 2022 RAQ covers cloud computing, including edge computing.



Along with the increase in digitalisation, cybersecurity risks are increasing, EBA notes. These risks are related to outsourcing [2]. More information in paragraph 6.2. on digitalisation and ICT-related risks. ICT risk level is high and further efforts are needed, says EBA. Ransomware attacks have become a particular threat, according to ENISA findings are ‘grim’:

Ransomware has adapted and evolved, becoming more efficient and causing more devastating attacks. Banks as well as their customers should be ready not only for the possibility of their assets being targeted by ransomware but also to have their most private information stolen and possibly leaked or sold on the Internet to the highest bidder.

One of the European answers is DORA, the Digital Operational Resilience Act, described on page 87. This is an EU regulation that provides a framework for the mitigation of ICT risks and aims at enhancing operational resilience of financial entities across sectors. On 27 December 2022 this regulation was published, read also the press release.



[1] I find the argument that vulnerability to ML/TF would be a consequence of missing harmonisation strange.

[2] Page 88: “Growing use of third-party providers to outsource critical services for banks were in particular identified to intensify operational risk“.
Page 89: “As banks have outsourced many services and functions, including critical functions, to third-party service providers, their security risk management capabilities are of high relevance. These third-party service providers should not become channels to spread cyber risks.“.

Over Ellen Timmer

Weblog: ||| Microblog: ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in English - posts in English on this blog, Europa, Financieel recht, onder meer Wft, Wtt, Fraude, witwasbestrijding, Wwft, ICT, privacy, e-commerce, Sanctieregels en getagged met , , , , , , , , , , , , , , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s