AML in Transition: What 2025 Meant for Compliance in Europe Artwork

Integrity Insights

Integrity Insights is a podcast from Berlin Risk, a Berlin-based corporate intelligence and compliance advisory firm. In the podcast, we cover the latest developments in the fields of financial crime, political risk, sanctions, open source investigations and much more. The podcast is hosted by Filip Brokes, consultant at Berlin Risk.

All Episodes

Integrity Insights

AML in Transition: What 2025 Meant for Compliance in Europe

January 26, 2026 • The Berlin Risk Podcast • Season 1 • Episode 20

0:00 | 43:14

AML CFT Roundup 2025: What changed, and what comes next

In this episode of Integrity Insights, Filip is joined by Jennifer Hanley-Giersch to review the biggest AML/CFT developments of 2025. They discuss why the year marked a shift from incremental updates to structural change, driven by AMLA’s launch, preparation for the EU Single Rulebook, tougher sanctions expectations, and a renewed focus on terrorist financing.

Key themes discussed

AMLA and the EU Single Rulebook
Although the regulation applies from July 2027, firms face earlier deadlines. From October 2026, national supervisors will collect new risk and controls data to feed AMLA’s risk-scoring model, forcing many institutions to remediate data gaps.
FinTech and RegTech under pressure
Supervisors reported rising risk from FinTechs, often linked to weak governance and immature controls. Jennifer highlights that many serious failures involve poorly implemented RegTech tools and lack of expertise.
Germany: BaFin guidance and FIU progress
BaFin’s updated guidance increased expectations around risk assessments (including separating money laundering and terrorist financing risk), residual risk, outsourcing oversight, AML officer responsibilities, and customer data update cycles. The German FIU also reported fewer but higher-quality STRs, with more referrals to law enforcement.
Terrorist financing and crypto enforcement
Crypto remains a major risk area, but 2025 showed stronger enforcement momentum, including disruption of terrorist fundraising and takedowns of anonymisation infrastructure such as mixers.
Sanctions and circumvention
The episode highlights evolving circumvention models linked to Iran and Russia, and the continued willingness of EU and US authorities to impose substantial penalties where firms knowingly facilitate sanctioned interests.
Cyber fraud and operational resilience
They close with the growing impact of cybercrime and DORA-driven supervision of critical ICT providers, reinforcing that resilience is now a core component of financial integrity.

Key takeaway: 2025 accelerated the move toward centralised supervision, higher data expectations, and closer links between AML, sanctions, crypto, and cyber resilience.

Related content:

AMLA's work program: https://www.acams.org/en/opinion/amlas-work-program-and-its-enhanced-oversight-of-casps

Connect with Us:

LinkedIn: https://www.linkedin.com/showcase/integrity-insights/?viewAsMember=true
Berlin Risk Linkedin: https://www.linkedin.com/company/berlinrisk/?viewAsMember=true
Website: https://berlinrisk.com/

Okay, Jennifer, welcome On the podcast,

Hi Philip. It's really great to be back again.

it's, uh, it's great to have you back. We spoke, uh, about a year ago when we did our 2024 a ML CFT Roundup, and we decided to do this again, uh, this year with 2025. So I'm really, uh, grateful that you found the time. Uh, so if we dive straight into the topic, Jennifer, 'cause there's a lot, uh, to discuss. Uh, so if you look back at, uh, last year, 2025, what were the key topics and big a, m, L, uh, C, f, d risks that, uh, stood out for you?

Yeah. Very good. Uh, Philip, uh, well, it's clear that for everyone who's working in the anti financial crime space that, you know, this wasn't just a year of incremental changes, which, uh, we had, uh, in the years before, but it's really been a year of kind of fundamental shifts. So between. The launch of the new EU anti-money laundering authority in the middle of 2025 the preparation for the new EU regulation. A FC professionals, I would say, have never been busier. the EBA, the European Banking Authority, uh, really set the tone for the year. Um, they identified three pillars of risk, uh, that have dominated our work. First of all, the geopolitical volatility. So continuously reshaping our approach to sanctions. second, uh, digitalization, which is moving faster than many traditional controls can keep up with. And thirdly, we've had legislative reform. So as we align ourselves for a more unified, uh, European standard, uh, there's a lot of adjustments to make. Uh, we've also seen increased pressure on the FinTech sector, uh, while incumbent banks continue also to be rigorously supervised. Uh, 70% of supervisors reported an increase in threats from FinTech firms in 2025, specifically citing weak governance and A-M-L-C-F-T controls. Locally in Germany, Baffin identified significant deficiencies in some of Germany's largest FinTech players, but they've also issued their largest penalty to date a massive 45 million Euros against JP Morgan. So with regard to the crypto sector, this remains a major high risk area from the perspective of the supervisors, though we saw a 2.5% fold. Hmm. Even though we saw a 2.5 fold increase in authorized firms, we're still seeing persistent gaps in compliance. And in some cases, we also see deliberate attempts to bypass oversight entirely. There's also been significant movement on the topic of country risk. So after lengthy discussions at the EU and the FETF, remove the UAE from the list of high risk, uh, jurisdictions, but added Monaco. And at the end of the year, both Russia and the British Virgin Islands we're also added. We're now awaiting official publication of the new list, uh, which we expect to come into force, uh, in January.

So there will be a lot of. files that need to be remediated as a result of that. finally, in 2025, we saw a major refocus on counter-terrorist financing. The EU approved a union wide strategy, and the FATF published its first comprehensive report on terrorist financing risks since 2015. Now what's concerning is the technological adoption by these groups. They're increasingly moving towards virtual assets, online gaming and encrypted messaging platforms for both fundraising and propaganda purposes. So, like you see, Philip, in summary, the big themes that defined our year, uh, were all in all amla readiness. A relentless focus on data integrity and heightened vigilance towards terrorist financing and sanctions. So I'm really looking forward to diving into these topics with you today and discussing what they mean for the road ahead.

Thank you, Jennifer. Maybe, maybe the first topic, uh, that I would like to, uh, focus on, you mentioned this, uh, problem of fintechs and, uh, regulatory issues, which is something that one hears a lot these days. Why would you say that these FinTech and rec tech tools or platforms are often so problematic from a, a supervisory perspective?

Yes. Well, the issue companies face, uh, uh, when they're starting out is that they're obviously under pressure to gain market share, and then they sometimes, uh, or often prioritize growth over compliance. Uh, and in addition, the EBA also came out last year saying that over half of the serious compliance. Failures involve improper use of RegTech tools resulting from poor implementation and lack of expertise. So sometimes companies, uh, introduce RegTech solutions without actually, uh, knowing what these tools are doing and how they're calibrated. So even though everybody's excited about these new tools and also the opportunities that AI can bring to the compliance. Base, it's important that the technology is properly implemented, understood, and, uh, monitored, uh, adequately as well, uh, to avoid, uh, supervisory scrutiny.

Mm, mm-hmm. Yeah. Yeah, that makes sense. So when we, um, maybe we could focus now on the EU regulatory level. Uh, the so-called single rule book will come into force in July, 2027. Uh, what does it mean exactly for obliged? Entities.

Yeah. Well, just to recap, uh, uh, on the status of the implementation of the regulation, which will come into force in, uh, July, 2027, um, uh, it's uh, important to understand that already in 2026, obliged entities will need to. Pair, uh, some regulatory and technical standards, uh, so-called RTS, uh, which, uh, are considered level two acts will require financial institutions and alternative investment fund managers to take action within, uh, the next year already. Uh, in particular, there's two draft RTS documents that have been published by the EBA in October, 2025. They're still currently under review, um, by the amla. Frankfurt, and, uh, we're expecting them to be enacted, uh, in the middle of 2026. We have no final date, uh, yet, but based on these draft, RTS obliged entities have already started preparing. Uh, but still a lot of work needs to be done in 2026 to be ready for 2020.

Mm. And a, a national supervisor such as FIN here in Germany or. You know, whatever their equivalents are called in, in other European countries, they'll have to start collecting new risk data from, uh, October, 2026. Uh, what, what kind of information will firms have to, uh, provide to the supervisors?

Yeah, this is a very important point, Philip, and, uh, thanks for, uh, the question. So. Just to give some background in order for the national supervisors to be able to feed Amla's risk, uh, scoring, uh, system that will, uh, be implemented, uh, they will have to periodically collect specific data points from obliged entities, which they will start doing already in October, 2026, so in effect, more than six months before the application of the regulation itself. These data points, which will then be used by supervisors to establish supernational and country inherent risk levels related to the risk categories that we already know, customer products, geography, and distribution channels the customer's category. This includes, for example, the number of legal entities with complex corporate structures, the number of customers engaging in high risk activities, or the number of legal entities with at least one UBO located in a non EEA country. So this means basically the obliged entities must report upon data points that they might not at this stage, uh, be collecting. But it doesn't stop there. Uh, so to enable the calculation of residual risk, obliged entities must also provide data on their A-M-L-C-F-T risk controls, in Germany currently is not the case. So this data must be categorized by governance and compliance function by internal controls and outsourcing risk assessment, customer due diligence. Monitoring transaction monitoring and suspicious activity, reporting targeted financial sanctions, and the group wide, A-M-L-C-F-T framework, if that's applicable. So quite a long list. Uh, there, uh, examples of such control data points include, for example, the number of customers for whom customer information was reviewed and updated in the last calendar year. Or the number of customers whose customer, uh, data and information does not yet comply with the requirements of Article 20 of the anti-money laundering regulation. So also on that front, there's a lot of work to be done.

And, uh, as you mentioned in the, in the, uh, earlier Jennifer, these DA data, uh, points are important for amla to feed its, uh, uh, risk meter, which is another major development. In the EU in 2025, decentralization of A-M-L-C-F-T, uh, supervision in the union. How do you, how do you see amla changing the supervisory, supervisory landscape?

Uh, especially for the entities considered high risks, such as major banks and uh, crypto exchanges.

Yeah. Uh, very, very good. Uh, question. Uh, obviously we don't know the details until the supervision, uh, starts, but. You know, we've been, uh, talking about, uh, amla in the future tense for, uh, quite a number of years now. But, uh, as of March, 2025 with Bruno Zo being appointed, uh, head of Amla, uh, we're, uh, really officially in a status of game on. Uh, her strategy isn't just about adding another layer of bureaucracy. She says it's about creating a central hub that finally harmonizes, uh, a ML standards across the entire European Union. So, uh, it might well be that we will have a standardized, uh, a supervisory, uh, approach, at least, uh, for those entities, uh, supervised by amla. Uh, one of the most important, uh, takeaways from skis first interview is that Amla is casting a very wide net. Uh, while they will directly supervise banks, they're also targeting a diverse range of financial institutions. Her philosophy is clearly risk over sector. So Amla will focus on any entity with the highest inherent and residual risk, ensuring that no sector is left behind in the effort to stop, uh, financial crime within the eu. So everyone needs to really mark their calendars for July, 2028. That's when Amla officially, takes over direct oversight of 40 major financial firms. The. The EU considers systemically important and high risk. We don't know which firms are gonna be in scope, uh, yet, but uh, we will, uh, find out over time. Um, what Amla is also doing is that it's building a central hub for data sharing by connecting the national financial intelligence units. another important point is that the crypto asset sector is still very much in focus. So while Mika is now in effect, crypto asset service providers must be licensed in order to, uh, operate. Amla's 2025 work program called from Vision to Action prioritizes these players specifically because of the risks inherent in cross-border operations and also the anonymity features linked to, uh, crypto assets. any. Crypto asset service providers are large. Fintechs can expect much stricter harmonized scrutiny, uh, going, uh, forward.

So that will be one of the major, uh, changes for them. Um, ski O is really quite candid about the challenges of fragmented national practices. She specifically mentioned concerns about countries like Malta, where rules might have been applied less rigorously in the past to attract business. Um, we had a recent controversy, uh, involving the rapid licensing of a firm, uh, um, for example, OK X or crypto.com, which took place in Malta even though, uh, they were known to have unresolved compliance issues. And so what she's striving for is harmonized, uh, oversight, uh, and to make sure that licensing shopping is no longer a viable strategy. And finally just to, uh, wrap up, I think, uh, another point that she made is that she's very much in favor of an open dialogue. Uh, she emphasized that regulations must be cost effective and, uh, importantly that they shouldn't lead to the exclusion of certain customer groups from the financial system. So while the scrutiny is increasing, the goal, uh, she has set herself is to put in place a system that is both robust and inclusive. Uh, so on that point, I think 2020, uh, six will also be the year for building the IT and governance infrastructure, uh, to make that all possible.

Yeah, I mean, thank you for this overview, Jennifer. I just also wanted to invite our listeners to read our article that we, Jennifer and I. On this very subject of amla. We also, uh, try to elaborate a little bit on, on those for the major financial firms, uh, considered systematically important that might be, uh, eventually added, uh, to the list.

So you are invited to read this article. We make sure to link it, uh, in this podcast. But now I would, I would like to focus a bit more on Germany. Where the National Supervisory Body, uh, fin expects, expects local German obliged entity entities to adopt a risk first approach. Uh, can you maybe help us understand what do they mean by this exactly?

Um, yes. Well, this was, uh, a term that was, uh, uh, introduced, um, at, uh, uh, yearly, A-M-L-C-F-T. Conference in November, 2025, um, the executive director, bi Rudolfo, uh, gave a keynote speech, uh, in which he emphasized that a successful A-M-L-C-F-T strategy is dependent on a. Rigorous risk-based approach. So she rejected, uh, decidedly a one size fits all, uh, approach and stressed that the prevention measures must be tailored to the risk taken. Uh, obliged entities, including small entities, um, must ensure that their safeguards match their risk profile, which requires them to really know their customers and understand their business model. But it also, uh, enables, uh, a true implementation of the risk-based approach. So similar to last year's conference, she once again, uh, continued, uh, to emphasize the importance of terrorist financing. said that obliged entities must make sure that they do not act as conduits for terrorist financing, and that they're particularly vigilant of the risk attached to associations and religious organizations that collect donations as these can also be used for to finance terrorism. Her speech also touched upon evolving geopolitical threats and sanctions, and she noted that high risks circumvention transactions, especially those linked to Iran and Russia, were of concern. Institutions are expected to apply. Enhanced due diligence were elevated. Sanctions risks and she gave the example of trade deals with countries close to sanctioned nations or the use of crypto transfers. Um, another important development last year, um, on the Baffin side is that they updated, uh, their guidance, so-called visor. These came into force on the 1st of February, 2025, and have started to pave the way for the arrival of the EU regulation in 2027, the accompanying guidance, so-called RTS. So what are the main, uh, changes in the German, uh, guidance that came into force uh, last year? So, first of all, the topic of risk assessment. So there's the expectation that a clear distinction must be made between the specific money laundering risk. And terrorist financing, uh, risks. So these should be outlined separately in the risk assessment and specific risk factors, relevant sources of information, adverse media, uh, and a clear analysis of the current developments should be attributed individually to the money laundering risk and to the terrorist financing.

Uh, risk. There's an expectation that, uh, the, uh, residual. is an important part of the risk assessment when analyzing the residual risk, the effectiveness of the control measures in terms of mitigating the inherent risk must be taken into account and clearly outlined. understanding and mitigating the residual risk is, uh, key, uh, from a bain's perspective. And in addition, the risk assessment methodology must be outlined, uh, in detail. Uh, another point are the internal safeguards. So the outsourcing of internal safeguards, uh, including the function of the anti-money laundering officer itself, uh, does constitute a material outsourcing, uh, as per the German Banking Act. And the obliged entities must therefore ensure that the outsourcing company has adequate resources in order to meet its regulatory obligations. And the responsibility for the appropriate implementation of the controls remains with the obliged entity. And in addition, the guidance requires that the specific roles and responsibilities of the anti-money laundering officer and the deputy Money Laundering reporting officer are clearly defined and set out in writing. Another point, uh, that was highlighted in the revised guidance, uh, that required, uh, uh, additional attention is the control plan. So the money laundering reporting officers must maintain a control plan, in which the scope and the responsibilities and the due dates, as well as the frequency of individual monitoring and control activities are clearly set out in writing. And the control plan must document the appropriateness and the effectiveness of the control measures. And then finally, whistleblowing, uh, was also, uh, uh, introduced, uh, in the sense that the internal A-M-L-C-F-T reporting channel, as set out in the Money Laundering Act, can be integrated into, uh, the internal whistleblowing reporting, uh, channel as set out under the Whistleblowing Protection Act. Then we had some additional, uh, uh, uh, topics, uh, in the guidance focusing on customer due diligence. So data collected to identify entities should be verified on the basis of current official company filings that are no older than three months. The politically exposed persons, uh, list published by the European Commission does not restrict the scope of application as set out in, uh, uh, the German Money Laundering Act.

And this means that public officials of comparable rank below the national level may still be categorized as, uh, PEPs. And this is important because there's. Quite a lot of differences between, uh, the pep list across the European Union. The pep list in Germany is much shorter than the pep list in Italy or Spain, for example. Uh, we also wrote an article, uh, on, uh, this in acams, uh, today. So maybe we can link that as well, uh, in the show notes. Uh, Philip, uh, that might be interesting for, uh, readers. And then finally, uh, there's a. Big section on the updating of customer data, which brings me back to my original point about the importance of, uh, data integrity.

So the new guidance introduced shorter update cycles. The deadlines for updating customer data will be shortened, uh, when, uh, the a ML regulation comes into force. Um, and so there's a, a lot of work, uh, to be done on that front as well. Um, also in relation to beneficial ownership and the beneficial ownership register in Germany called the, it's important to note that the receipt of registration is not acceptable as proof of registration, as there's no guarantee that the details, uh, were actually entered into the transparency register.

So we need an official confirmation. Uh, there. And in 2025, finally, uh, the B fin in preparation for the reporting that I also mentioned earlier, have moved away now from a paper-based procedure, uh, for registering money laundering reporting officers, and have introduced an electronic, uh, reporting, uh, system.

Well, Jennifer, thank you very much for this, uh, detailed, uh, description of the Baffin guidance. It's really, uh, there's really a lot, uh, coming, so this is helpful. Uh, if.

indeed.

So if you focus on, uh, now enforcement, next step. Uh, I remember, I think when we last discussed this over a year ago that, uh, the German FIU was completely overwhelmed with all these, uh, suspicious transaction reports coming in, uh, and which almost like, you know, paralyzed their, uh, the, this whole system, have they managed to turn things around in 2025?

Indeed, uh, the, uh, the financial Intelligence unit has really, uh, made, uh, enormous, uh, progress. they actually noted a decrease in the number of suspicious activity reports, uh, in their 2024 and 2025 report. Uh, and I would say that this is the result of improved collaboration and exchange between the FIU and all its stakeholders. Um, uh, they've, uh. Published, uh, improved guidance, uh, they've been more clear in terms of the requirements. Uh, and therefore instead of, uh, being inundated, uh, by, uh, a large number of. Unsubstantiated str, they've managed to increase the quality of the st uh, that they've, uh, received. Because even though the numbers of ST have gone down, the number of reports that the FIU has been able to submit to investigative authorities has increased by 8%. So I did use from. That's, uh, uh, improved relevance of the str. Uh, and, uh, also based on, uh, a good follow up, uh, on behalf of the FIU. and, uh, maybe what's important, uh, in this context is the in preparation for the coming into force of the new German, uh, reporting legislation on the 1st of March, 2026. Baffin also updated, uh, um, uh, their orientation note in collaboration with the financial intelligence unit, where they clarified the terms of immedia, they clarify the terms of what immediacy and completeness mean. Uh, in terms, uh, of, uh, STR reporting, uh, completeness means that the. Reports should be well researched.

They should be comprehensive and include a chronological record of investigative steps that led to the filing. uh, and, uh, at the same time, immediacy means that they should submit a report no later than one day following the completion of the investigation. so the guidance basically aims to prevent defensive reporting and to increase the quality of the they receive.

Hmm. Okay. Uh, another subject is, uh, uh, terrorist financing, especially in, uh, connection to, to crypto sector. You already mentioned this couple of times, uh, in this conversation. For instance, the fact that Amla, uh, might very well select. Among those 40, uh, entities that they will select for direct supervision, there might be indeed some major crypto exchanges registered in the European Union.

The, the crypto SEC sector is often mentioned both in Germany and the eu in, uh, in this context of discussions around terrorist financing and financial crime, why, uh, do you think the, the crypto sector is so vulnerable to being exploited by criminal actors for, uh, terrorist financing purposes?

Yeah, thanks Philip. This is a very good topic, uh, to focus, uh, on. So maybe let me give you some statistics. Um, I have here the FIU. report and they list the crypto sector as a significant, uh, risk area. they received 8,711 reports linked to transactions involving cryptocurrencies. the report highlighted the increase in complexity and anonymity issues post by digital assets and decentralized financial platforms. So despite the ease of tracing crypto on public. Blockchains, uh, law enforcement struggles due to, first of all, a patchwork of global regulation, uh, the lack of standardized tools and resources, uh, to, uh, investigate, uh, these, uh, cases adequately. And this allows criminals to obscure their, the origins of their funds, uh, by using, for example, anonymous wallets or automated swapping services. Um, the EBA has published guidance on reporting requirements under, uh, the market's and crypto assets regulation, uh, called Mika. it requires that reve, requires that relevant checks be performed, including customer due diligence checks on token holders that have submitted a redemption plan. And the guidance also requires that if an issuer is not subject.

To money laundering, terrorist financing obligations, that customer due diligence must be performed by an intermediary that is not an obliged, uh, entity. So this is an important, uh, point, if there's one thing that we've learned from the enforcement actions in 2025, it's that. The anonymity of crypto is becoming, uh, a bit of a myth for, uh, criminals, uh, um, which is a good thing.

So we're seeing a new level of coordination between the FBI and the Department of Justice and other international, uh, agencies, uh, that should make the entire industry a kind of, uh, take, uh, notice. Uh, so, uh, there's been, uh, some very successful crackdowns, uh, across the eu. Just for example, uh, um, uh, to, uh, take note of that, um, what we can look at, for example, is the, um. Disruption of the Hamas terrorist network in March, 2025. back in April, 2023, Hamas publicly announced that they were halting, uh, crypto fundraising, um, investigations, however, found that they actually continued right through to October, 2024 and collected about 1.5 million US dollars in donations. the Department of Justice and the FBI seized approximately 200,000, uh, US dollars in crypto assets across 17 different, uh, address. Uh, and by tracing the funds through operational wallets and OTC brokers, authorities were actually able to see, uh, uh, and work their way through, uh, the, uh, deception. So what's really interesting here in this particular case, and also for our listeners, is the role that some of the major platforms, uh, played in supporting law enforcement. In this case it was Binance and Tether. And these are both firms who've faced their own regulatory, uh, problems in the past. Uh, and they were actually instrumental. So they proactively assisted law enforcement with providing address information and also supporting the seizure of funds. Um, then an another case.

For example, in November, 2025, we saw a massive, uh, blow to the anonymization industry, uh, with the takedown of crypto mixer.io. So this wasn't a small operation, uh, since 2016. The mixer had allegedly laed. Laundered billions in, uh, crypto by pooling and redistributing the coins to break the transaction trail. and an international team, including prosecutors in Frankfort and Zurich, managed to seize around 25 million euros in cryptocurrency and also wiped out servers, uh, that were located in Switzerland. this is, uh, as I mentioned before, part of an. Broader infrastructure, take down strategies. So authorities aren't just going after the users. Uh, they're taking out the service providers, the mixers, the dark net markets, and the malware platforms like quack, bott, and emote. Uh, so I think the takeaway for compliance officers here is clear. that the tools that criminals use to hide like mixers and unhosted wallets, uh, are now really in focus of global, uh, law enforcement authority and, uh, their investigations.

This is, this is really, uh, this is a really, uh. Uh, key, really key development. Another, uh, obviously huge, uh, topic that we cannot omit is, uh, sanctions. Jennifer. So in, uh, 2025, what, uh, what, what can you highlight in terms of sanctions, circumvention and enforcement, especially, uh, when it comes to these traditionally, uh, uh, targeted countries like Iran and, uh, and, and Russia?

Yeah. Very good. This is obviously a, a, a really important, uh, point that, like you said, we have to discuss. So let me maybe start with Iran, uh, in September, 2025, uh, the Council of eu. Uh, reimposed, a comprehensive set of restrictive measures on Iran. move followed the activation of the UN snapback mechanism, uh, due to Iran's non-compliance with the joint comprehensive plan of action.

The so-called G-A-C-P-O-A, uh, the sanctions reinstate trade restrictions on a wide range of goods and technologies. Precious metals and financial services, and they've also reintroduced targeted financial sanctions against more than 200 designated individuals and entities. what's really fascinating. And concerning, uh, for regulators, of course, is how these sanctions are being bypassed. So, uh, Baffin has really as sounded the, uh, alarm clock, uh, uh, on the increase in Iran linked Circumvention models. They identify two main methods that. All listeners in the financial sector should be watching out for. The first is, uh, uh, the exchange trading house model. involves diverting cross-border payments through intermediaries in the gulf. Particularly in Dubai, these intermediaries act as payment agents, uh, essentially scrubbing the Iranian origin from the transaction, uh, before it's received, uh, uh, by EU institutions. Uh, and then we also have the unlicensed. Third party route. So we're seeing a rise in unlicensed companies based in, uh, countries like Hong Kong, China, Turkey, but also Switzerland. and they act as payment processors. So their entire purpose is to handle the transaction that would otherwise be blocked by. The SWIFT system, uh, or uh, um, uh, stopped through other bank level, uh, sanctions prevention measures. Um, one case, uh, in Germany, uh, that we had in September, 2025 was a fine issued against Vaden Gold Bank of 3.8 million Euros, uh, where, uh, the bank was found, uh, to have. Had serious deficiencies in managing transactions related to Iran, uh, and the Baffin had actually prohibit prohibited Vaden Gold Bank from executing transactions with payment agents and third parties linked to high risk Iranian flows.

But the bank had actually failed, uh, to comply.

This is, this is, uh, really interesting, Jennifer, as like both these, uh, both of these models that you described, the exchange trading house model, and the unlicensed third party route. This is something that we have actually been looking. Looking into internally, and I, and I think we might have a podcast on this, uh, subject because this is really like a big, big, big deals.

We might do a podcast like 30 this year on this, but, so this was, this was Iran. Uh, what about, uh, Russian sanctions?

Yeah. Very good. Uh, uh, Phillip, and just coming back to your point before, I think the whole topic of sanction circumvention, uh, is, uh, is very, uh, much, uh, in focus and has. Been, uh, um, part of the four sanctions packages issued against Iran in 2025, uh, where the European Commission has, uh, put a dedicated focus on closing loopholes, uh, but also curtailing, uh, sanction circumvention. So let's look at the topic of physical movements of goods. So the EU is now directly targeting, uh, uh, the shadow fleet, in Russia. And, uh, they've basically sanctioned 153 vessels in total, uh, and, uh, uh, that are now completely banned from EU ports, uh, and, uh, uh, engaging maritime services. Uh, but it's not just the ships. The net has wided to include, uh, third country airlines that are now banned from the EU airspace. If they operate domestic flights within Russia or supply aviation goods. Uh, we've seen a full transaction ban on critical Russian. air hubs, including, uh, airports in Moscow and some seaports, and Russian ownership of EU road transport companies is now strictly capped at 25%. Um, probably the most striking example of how granular, uh, this, uh, has all become is the ban of video game controllers. It sounds like a kind of a minor topic, uh, until you realize. That, um, video game controllers are being repurposed, uh, by the Russian Army to pilot drones. So it just, you know, underlines, uh, um, uh, that a dual use, a challenge that compliance officers, uh, face on a day-to-day basis, um, where it's not just about weapons, but it's about everyday tech that can be weaponized. On the financial front, the EU has now banned 13 smaller banks from using, uh, specialized messaging, uh, uh, services. Um, the 19th, uh, package, which is the last one, uh, that was, uh, uh, issued. Prohibits EU operators from providing crypto services to Russia and take, uh, aiming at the A seven A five ruble backed stable coin and various other exchanges, uh, because, uh, uh, um, crypto is being used, uh, for a sanctioned circumvention purposes, uh, uh, as I mentioned before. And, um, there's also a ban on engaging with, uh, Russian payment systems like MER or SBP. Um, what the 19th package also prohibits is the import of Russian liquified natural gas into the eu. and there's more stringent limitations, uh, on major Russian energy companies. Also, what's also noteworthy is that, uh, the EU has introduced travel restriction on Russian diplomats, uh, and limited the services they can provide to the Russian government. and finally, uh, another interesting point is that an additional. eight media outlets have been suspended, uh, in the U for justifying the war. Um, I'd also like to talk about, uh, a fine issued by ofac, uh, the largest, uh, penalty of 2025. Uh, and that was against, uh, a company called GBA Capital. So, uh, a San Francisco based venture capital firm. Um, and they were fined. Almost 216 million US dollars, uh, for willfully violating Russian sanctions. And I think this is an important, uh, one, um, uh, they knowingly, uh, continue to manage, uh, 20 million, uh, US dollar investment for a sanctioned Russian oligarch. Long after he had been added to the SDN list, uh, the firm attempted to hide the relationship by, uh, coordinating through the sanctioned individual's nephew, uh, whom uh, they treated as a proxy to bypass the direct scrutiny. Uh, and even after they received legal advice in 2018, warning them that any transfer of shares would violate sanctions, uh, they still moved ahead, uh, with. The, uh, transactions. Uh, and, um, uh, then to make matters worse, the firm failed to fully comply with an OFAC subpoena, uh, um, which led to a discovery of thousands of documents, uh, uh, only after, uh, the penalty notice, uh, had been, uh, issued. So basically this case proves that relying on formalistic ownership structures or proxy relationships, uh, will not, uh, shield, uh, um. Obliged entities, uh, from uh, being fined, uh, if they have actual knowledge of sanctioned, uh, party's, uh, interest.

I think it's also, as you said, Jennifer, like this last, uh, this GBA capital, the last case is very, very kind of interesting and indicative. Of, uh, even, uh, under the, the, the, the current administration, the us, uh, or, or the OFAC is still going strong and forcing these anti-Asian sanctions, which, uh, uh, some people might, uh, uh, not expect.

But it's still, it's, it's, it's still, it's still, uh, these sanction are still being heavily enforced. So this is good to, good to keep in mind. And, uh, maybe the last question I would like to ask you, Jennifer, this is not. Exactly a ML but uh, it's also something that we cannot really, uh, uh, omit. It's the, the cyber crime, uh, or cyber cyber fraud sector in 2025, what were uh, the major risks or, um, sorry, Jennifer, I think I'll have to re rephrase this question.

Um, how to say this, um.

So the, the last question, Jennifer, I would like to ask you if we go beyond pure, uh, anti-man, anti-man laundering, what did, uh, 2025 tell us about cyber fraud and, uh, operational resilience risk in the, in the financial sector.

Yeah, this is a really, uh, a good one I think to, uh, end on, uh, Philip, even though it's not strictly speaking financial crime, uh, it, uh, absolutely impacts, uh, what financial crime professionals, uh, are, uh, doing, uh, and. It touches, uh, uh, upon a lot of the topics we discussed here already. So I think if you want to understand the scale of the threat, uh, that we're facing, it's good to take a look at the Bitcom study that was published, uh, uh, late last year. They claim that cyber attacks cost German companies almost 300 billion euros last year alone. So an increase on 8%, uh, uh, from, uh, the previous year. they state that, um, nine outta 10 companies have been affected in some way. And, uh, the question, uh, we're asking ourselves is like, where is this all coming from? and um, I think one interesting point is that obviously organized crime accounts for a large percentage. They say 68% of the attacks, but what we're also seeing is a in activity linked to foreign intelligence services, especially from, uh, Russia and China. Um, the weapon of choice is still ransomware. Uh. 34% of companies, uh, were subject to ransomware, uh, attacks. Um, so it wasn't just a data breach, but really, uh, uh, kind of also threatening, uh, the um, uh, continuation of the business operations. So in response to that, businesses have. Push their security budgets up to 18%. uh, some experts say that's not enough.

It should be 20% of the total, uh, budget in order to stay ahead of the curve. But I think a lot is happening. Uh, there. Uh, regulators are also stepping up, uh, to help, uh, the, uh, BSE in Germany published, uh, technical guidance, uh, the. Is, uh, I think of great support. Uh, it, it's a good resource for fintechs or banks who are, uh, looking to, uh, patch up, uh, the holes in their system. It's very much focused on a security by, by design approach. And it also kind of provides a concrete testing criteria for, uh, the development of, uh, uh, apps and mobile applications. So to improve, uh, the security as you walk your way through, uh, the development. Um, and maybe another interesting point, uh, on that is, uh, the Dora, uh, the EU regulation to, uh, improve the resilience, uh, of, uh, technology across the eu. Um, and. The European supervisory authorities, they published their first official list of critical ICT third party providers, and this is obviously also a game changer. So finally, the regulators have identified the tech companies that the entire financial system relies on, uh, and, uh, cloud providers and data services. That are too big to fail, have been put under this framework. and so they will directly supervised, uh, by the European supervisory authorities, uh, to ensure that a failure of a single tech provider doesn't trigger a systemic collapse, uh, on the, uh, banking sector and other sectors, uh, as well, of course.

Um, so I think, you know, cybersecurity. In 2026 is now a core component, uh, of financial, uh, stability. Uh, and so, uh, whether you're a small startup or a large company, I think, uh, resilience, uh, is really, uh, the only word that matters, uh, in this context. Uh, and, uh, something to, uh, a very much focus on.

Uh, very last thing I would just quickly mention is since we, uh, keep promoting our content here, uh, you, you mentioned these, uh, ransomware groups. We, we actually did a PO podcast as well on this very subject, uh, I think it was about it a year and a half ago. Might link this as well about, uh, Russian based groups.

Uh, behind some of these ransomware attacks. Um, Jennifer, there's, uh, I feel like there's still a lot we could discuss, but we need to stop somewhere and, uh, I feel like there's already a lot of great content. I have certainly learned a lot from this conversation, and I hope our listeners will enjoy this as well.

So, uh, thank you very much again for taking the time, and I look forward to, uh, speaking again, uh, next year. To sum up 2026.

Thank you very much, uh, Philip, uh, it's been great to have this conversation with you and yeah, look forward to seeing you soon.