Nos derniers articles

Le cadre juridique global de l’UE en matière de LBC/FT, aligné sur les normes internationales du GAFI, est centré sur l’Approche basée sur les risques (ABR). Ce principe impose une double application, définissant les responsabilités tant des autorités de supervision que des institutions financières. Les Autorités nationales compétentes (ANC) sont tenues de mener une supervision adaptée aux risques, garantissant que leur contrôle soit proportionné aux menaces identifiées. Parallèlement, les banques doivent mettre en œuvre des systèmes internes, des contrôles et des mesures de vigilance à l’égard de la clientèle efficaces, fondés sur leurs propres évaluations des risques. L’objectif stratégique de l’ABR est de veiller à ce que les efforts de supervision et les ressources institutionnelles soient alloués de manière proportionnée et efficace aux risques de BC/FT les plus élevés.

The EU's comprehensive AML/CFT legal framework, aligned with international FATF standards, is centered on the Risk-Based Approach (RBA). This principle mandates a dual application, defining responsibilities for both supervisory bodies and financial institutions. National Competent Authorities (NCAs) are mandated to conduct risk-sensitive supervision, ensuring their oversight is proportionate to identified threats. Concurrently, banks must implement effective internal systems, controls, and customer due diligence based on their own risk assessments. The strategic purpose of the RBA is to ensure that both supervisory efforts and institutional resources are allocated proportionately and effectively against the greatest ML/TF risks.

En 2026, l’Autorité Bancaire Européenne (EBA) intensifie la mise en œuvre du règlement DORA face aux cybermenaces croissantes et à la dépendance aux fournisseurs tiers. Les priorités incluent la surveillance directe des fournisseurs tiers critiques (CTPPs) via un cadre conjoint avec l’ESMA et l’EIOPA, des inspections ciblées et des analyses thématiques. L’EBA renforcera l’analyse des incidents TIC et publiera un rapport annuel sur les cybermenaces. Les institutions financières devront améliorer leurs cadres de gestion des risques TIC et leur résilience interne, sous une supervision accrue, pour assurer conformité et robustesse dans un environnement numérique complexe.

The EBA, alongside ESMA and EIOPA, plans 𝗷𝗼𝗶𝗻𝘁 𝗼𝘃𝗲𝗿𝘀𝗶𝗴𝗵𝘁 𝗼𝗳 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗖𝗧 𝗧𝗵𝗶𝗿𝗱-𝗣𝗮𝗿𝘁𝘆 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 (𝗖𝗧𝗣𝗣𝘀) from 2026, following their 2025 designation. Measures include direct engagement on governance, thematic contract reviews, and 𝗼𝗻𝘀𝗶𝘁𝗲 𝗶𝗻𝘀𝗽𝗲𝗰𝘁𝗶𝗼𝗻𝘀 𝗼𝗳 𝗵𝗶𝗴𝗵-𝗿𝗶𝘀𝗸 𝗮𝗿𝗲𝗮𝘀, with recommendations passed to financial entities. Supervisors will assess institutions’ 𝗜𝗖𝗧 𝘁𝗵𝗶𝗿𝗱-𝗽𝗮𝗿𝘁𝘆 𝗿𝗶𝘀𝗸 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, 𝗮𝗻𝗱 𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀, 𝗶𝗻𝗰𝗹𝘂𝗱𝗶𝗻𝗴 𝗹𝗲𝗴𝗮𝗰𝘆 𝘀𝘆𝘀𝘁𝗲𝗺 𝗿𝗶𝘀𝗸𝘀. The EBA will analyze major ICT incidents, contribute to a pan-European coordination framework for systemic events, collect new datasets via EUCLID, and support supervisory convergence to ensure 𝗰𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗗𝗢𝗥𝗔 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗮𝗰𝗿𝗼𝘀𝘀 𝘁𝗵𝗲 𝗘𝗨.

On 12 August 2025, the European Banking Authority (EBA) published a report on the use of supervisory technology (SupTech) in anti-money laundering and counter-terrorist financing (AML/CFT) oversight. It draws on a November 2024 survey of 31 competent authorities across 25 EU member states (plus three outside) and a January 2025 workshop with the European Commission’s AMLA Task Force.
Global Regulation Tomorrow
. The report notes that 47 % of SupTech tools are already in production, 38 % are under development, and 15 % are exploratory. Benefits include improved data quality, analytics, efficiency and collaboration, while challenges involve limited resources, governance issues, legal uncertainties and organizational readiness.
.

The draft strengthens governance arrangements, clarifies management body roles, and enhances oversight of internal control, risk management, and compliance functions. It incorporates ICT and security risk management in line with DORA, requiring institutions to integrate digital operational resilience into governance frameworks. The revisions also address anti-money laundering, conflicts of interest, and gender-neutral remuneration. Stakeholders can submit feedback until October 2025, with final guidelines to replace the 2017 version.

This Final Report (EBA/RTS/2025/03) presents draft Regulatory Technical Standards (RTS) under the Capital Requirements Regulation (CRR) III. It addresses three mandates:
• An operational risk taxonomy with Level 1 event types, Level 2 categories and supplementary attributes (including ESG and ICT risks), to standardise how institutions classify loss events.
• Criteria for deeming the annual‑operational‑risk loss calculation “unduly burdensome” for certain institutions, allowing temporary waivers.
• Rules for adjusting loss‑data sets when firms merge or acquire entities, including currency conversion, re‑classification and fallback proxies.

This opinion and accompanying report from the 𝗘𝗕𝗔 provides a comprehensive overview of 𝗺𝗼𝗻𝗲𝘆 𝗹𝗮𝘂𝗻𝗱𝗲𝗿𝗶𝗻𝗴 (𝗠𝗟) 𝗮𝗻𝗱 𝘁𝗲𝗿𝗿𝗼𝗿𝗶𝘀𝘁 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗻𝗴 (𝗧𝗙) 𝗿𝗶𝘀𝗸𝘀 across the EU's financial sector from 2022 to 2024. The EBA, mandated to issue such an opinion biennially, identifies evolving threats driven by technological innovation, including vulnerabilities in FinTech, RegTech, and crypto assets, alongside the 𝗶𝗻𝗰𝗿𝗲𝗮𝘀𝗶𝗻𝗴 𝘀𝗼𝗽𝗵𝗶𝘀𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝗳𝗿𝗮𝘂𝗱 𝗮𝗻𝗱 𝗰𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗲 𝘀𝗰𝗵𝗲𝗺𝗲𝘀. While acknowledging positive developments like reduced tax crime risks and improved supervisory engagement in certain areas, the EBA highlights persistent challenges such as 𝗶𝗻𝗰𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗮𝗻𝘁𝗶-𝗺𝗼𝗻𝗲𝘆 𝗹𝗮𝘂𝗻𝗱𝗲𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗰𝗼𝘂𝗻𝘁𝗲𝗿-𝘁𝗲𝗿𝗿𝗼𝗿𝗶𝘀𝘁 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗻𝗴 (𝗔𝗠𝗟/𝗖𝗙𝗧) 𝘀𝘆𝘀𝘁𝗲𝗺 𝗲𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝘁𝗵𝗲 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲𝗱 𝗽𝗿𝗼𝗺𝗶𝗻𝗲𝗻𝗰𝗲 𝗼𝗳 𝗰𝘂𝘀𝘁𝗼𝗺𝗲𝗿 𝗱𝘂𝗲 𝗱𝗶𝗹𝗶𝗴𝗲𝗻𝗰𝗲 (𝗖𝗗𝗗) 𝘀𝗵𝗼𝗿𝘁𝗰𝗼𝗺𝗶𝗻𝗴𝘀. The report underscores the critical need for regulatory clarity and a more unified application of risk-based approaches throughout the EU's financial landscape.

This 𝗘𝗕𝗔 report, created in consultation with 𝗘𝗦𝗠𝗔 and 𝗘𝗜𝗢𝗣𝗔, addresses the 𝗽𝗿𝗼𝘃𝗶𝘀𝗶𝗼𝗻 𝗼𝗳 𝗰𝗼𝗿𝗲 𝗯𝗮𝗻𝗸𝗶𝗻𝗴 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 to 𝗘𝗨 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝘀𝗲𝗰𝘁𝗼𝗿 𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀 (𝗙𝗦𝗘𝘀) by 𝘁𝗵𝗶𝗿𝗱-𝗰𝗼𝘂𝗻𝘁𝗿𝘆 𝘂𝗻𝗱𝗲𝗿𝘁𝗮𝗸𝗶𝗻𝗴𝘀 (𝗧𝗖𝗨𝘀). Specifically, it examines whether existing exemptions from establishing an EU branch for these services, currently extended to EU credit institutions, should be broadened to include all EU FSEs. The report analyzes 𝗾𝘂𝗮𝗻𝘁𝗶𝘁𝗮𝘁𝗶𝘃𝗲 𝘀𝘂𝗽𝗲𝗿𝘃𝗶𝘀𝗼𝗿𝘆 𝗱𝗮𝘁𝗮 on 𝗰𝗮𝘀𝗵 𝗲𝘅𝗽𝗼𝘀𝘂𝗿𝗲𝘀 𝗮𝗻𝗱 𝗹𝗲𝗻𝗱𝗶𝗻𝗴 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝗶𝗲𝘀 and incorporates 𝗾𝘂𝗮𝗹𝗶𝘁𝗮𝘁𝗶𝘃𝗲 𝗳𝗲𝗲𝗱𝗯𝗮𝗰𝗸 𝗳𝗿𝗼𝗺 𝘀𝘁𝗮𝗸𝗲𝗵𝗼𝗹𝗱𝗲𝗿𝘀, concluding that there is 𝗻𝗼 𝗰𝗼𝗺𝗽𝗲𝗹𝗹𝗶𝗻𝗴 𝗰𝗮𝘀𝗲 𝘁𝗼 𝗲𝘅𝗽𝗮𝗻𝗱 𝘁𝗵𝗲𝘀𝗲 𝗲𝘅𝗲𝗺𝗽𝘁𝗶𝗼𝗻𝘀. It also highlights challenges in 𝗱𝗮𝘁𝗮 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗶𝗹𝗶𝘁𝘆 and inconsistencies in the definition of core banking services, suggesting that existing flexibilities and 𝗠𝗶𝗙𝗜𝗗 carve-outs largely accommodate current business needs.

These proposed guidelines update the 2019 EBA Guidelines on Outsourcing to align with the Digital Operational Resilience Act (DORA). Key aspects include:
◾ 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸: Financial entities must assess, monitor and mitigate risks throughout the third-party arrangement lifecycle, including due diligence, contractual phases and exit strategies.
◾ 𝗣𝗿𝗼𝗽𝗼𝗿𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲: The guidelines provide specific criteria for applying proportionality, limiting documentation burdens on financial entities and authorities.
◾ 𝗖𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝘆 𝘄𝗶𝘁𝗵 𝗗𝗢𝗥𝗔: A single register can be used for both ICT and non-ICT services, streamlining information storage and reducing administrative burdens.
◾ 𝗧𝗿𝗮𝗻𝘀𝗶𝘁𝗶𝗼𝗻 𝗣𝗲𝗿𝗶𝗼𝗱: Financial entities have two years to review and amend existing arrangements and update their registers.

The consultation runs until October 8, 2025, allowing stakeholders to provide feedback on the draft guidelines.