The sector consists of a heterogenous set of institutions of different sizes and business models, each carrying different levels of ML/TF risk. Nevertheless, the EBA’s findings suggest that overall, the sector does not manage ML/TF risk adequately. AML/CFT internal controls in payment institutions are often insufficient to prevent or detect ML/TF.
The EBA’s findings also suggest that not all competent authorities are currently doing enough to supervise the sector effectively. As a result, payment institutions with weak AML/CFT controls can operate in the EU, for example by establishing themselves in Member States where authorisation and AML/CFT supervision processes are less stringent to passport their activities cross-border afterwards.