In July 2025 HM Treasury and the Home Office issued the UK National Risk Assessment of Money Laundering and Terrorist Financing 2025 ('NRA 2025'), while the European Banking Authority (EBA) published its fifth Opinion on ML/TF risks affecting the EU financial sector. Both documents review developments between 2022 and 2024 and are intended to guide supervisory priorities and inform the risk management frameworks of regulated firms across the UK and EU.
The 2025 assessments provide, for the first time, a dedicated appraisal of the asset-management sector. Although there is limited evidence of money-laundering through UK-established or managed private funds and hedge funds, the UK authorities identify heightened vulnerability where funds hold hard-to-value assets, pursue opaque investment strategies, employ complex structures, allocate capital to cryptoassets, under-invest in financial-crime controls or place undue reliance on outsourced providers.
The EBA reaches a broadly similar conclusion: while the inherent risk profile for collective-investment undertakings and fund managers is assessed as moderate and trending downwards due to improved controls, new risks are emerging where registered firms move into higher-risk asset classes (real estate, infrastructure, crypto). Across both jurisdictions the supervisors emphasise the need for rigorous oversight of outsourced functions, enhanced scrutiny of beneficial ownership, and a robust, data-driven customer-risk-assessment framework.
Key findings from the two assessments align closely and can be summarised thematically:
- Fraud. Fraud remains the single largest predicate offence in the UK, accounting for more than 43 per cent of all recorded crime. The EBA notes a comparable trend across Member States, with competent authorities citing a marked increase in cyber-enabled fraud. Both reports highlight the difficulty firms face in detecting increasingly sophisticated fraud typologies and stress the importance of swift transaction-monitoring escalation paths. The importance of having robust fraud prevention procedures in place is especially relevant for the UK where the corporate offence of the failure to prevent fraud will come into force on 1 September.
- Sanctions Evasion and Geopolitical Risk. The convergence of money-laundering techniques with sanctions-evasion methodologies has intensified since the imposition of wide-ranging measures following Russia’s invasion of Ukraine. Both the UK and EU supervisors point to the use of complex ownership structures and professional facilitators to mask sanctioned beneficial owners, underscoring the need for firms to maintain dynamic screening capabilities and conduct enhanced due diligence (CDD) on higher-risk jurisdictions and counterparties. Firms should ensure they have robust CDD procedures to enable them to identify beneficial owners and run sanctions checks.
- Corporate Structures and Professional Enablers. The abuse of companies, trusts and other legal persons continues to be a material vulnerability. The NRA 2025 and the EBA Opinion each draw attention to nominee arrangements, shell entities and cross-border layering designed to disguise illicit funds. Legal, accounting and trust or company service providers remain critical nodes in these structures, necessitating close scrutiny of source-of-wealth information and ongoing monitoring of complex client relationships.
- FinTech and RegTech. Rapid growth in electronic-money institutions, payment-service providers and other FinTech firms is expanding the attack surface for financial crime. Supervisors note that streamlined onboarding, reliance on third-party agents and investment-led growth strategies can lead to weak CDD controls. RegTech solutions offer efficiency gains but, when poorly implemented or insufficiently tailored, may create systemic vulnerabilities—particularly where several institutions depend on a small pool of providers. The NRA 2025 highlights the outsourcing of Anti-Money Laundering (AML) compliance functions to third-party providers as a particular area of concern, especially where providers lack familiarity with the specific risks of the sector. If firms do outsource AML it is important this is monitored to mitigate this risk.
- Cryptoassets. Both reports classify cryptoasset activity as high risk. Registration data in the UK indicate that only a minority of applicants meet the FCA’s AML standards, and the EBA records a surge in transaction volumes alongside an expansion in the number of authorised crypto-service providers. Speed, pseudo-anonymity and cross-border functionality are singled out as key drivers of risk, with evidence of spill-over into more traditional financial sectors. Whilst this is less likely to be directly relevant for asset managers, it may impact portfolio companies in the crypto space.
- AML Controls and Supervision. While some progress is noted—particularly within credit institutions, investment funds and life-insurance providers—deficiencies in CDD remain the most common breach across sectors. Both sets of authorities call for greater consistency in applying the risk-based approach, improved quality of suspicious-activity reporting and more rigorous testing of transaction-monitoring rules, especially where functions are outsourced.
What should you do?
Asset managers and other regulated firms operating in the UK and EU should ensure that their AML/CFT policies, procedures and controls remain commensurate with the evolving risk landscape. Particular attention should be directed towards the oversight of outsourced service providers, the management of higher-risk asset exposures and the application of sound CDD throughout the customer lifecycle. Continued engagement with regulatory developments and proactive alignment with supervisory expectations will be essential to maintaining compliance and mitigating ML/TF risks.
