The Decentralized AML Paradox, Part 1: Fragmentation, Over-Compliance, and Risk

The Decentralized AML Paradox, Part 1: Fragmentation, Over-Compliance, and the Subjectivity of Risk

Introduction: Decentralized Financial Crime Compliance

The European payment sector is under pressure from two directions. Regulators expect stronger anti-money laundering and counter-terrorist financing controls, while digital payment volumes continue to grow faster than many legacy compliance systems can handle. In 2023, an estimated $3.1 trillion in illicit funds moved through the global financial system, with Europe accounting for roughly $750.2 billion in cross-border illicit flows and fraud losses above $103.6 billion.

The response has been a dense web of AML/CFT requirements. Those controls are necessary, but they also create market friction when implementation is uneven. Legitimate payments are delayed, low-risk customers are over-screened, and payment companies often find that their commercial trajectory depends on the risk appetite of banks, supervisors, and internal compliance leadership.

At the center of the problem is the European Union's historical reliance on a decentralized regulatory model. For years, the EU used directives such as AMLD4, AMLD5, and AMLD6, which required member states to transpose common objectives into national law. That approach created a patchwork of divergent rules, uneven enforcement, and conflicting supervisory expectations across the Single Market.

The result was regulatory arbitrage, inconsistent treatment of similar risks, and a heavy operational burden on individual compliance officers. The risk-based approach was meant to make AML more efficient. In practice, it often shifts ambiguous regulatory judgment onto individuals who face institutional and personal consequences if they get it wrong.

This first post focuses on the mechanisms behind that dysfunction: fragmented national application, inconsistent high-risk country handling, rising costs, false positives, talent shortages, subjective risk appetite, de-risking, and enforcement cases where growth outpaced controls.

AML controls are not optional. The scale of illicit finance, sanctions evasion, fraud, terrorist financing, and organized criminal use of payment systems makes financial crime compliance indispensable. The problem is that the European payment sector has spent years trying to defend a fast, borderless, real-time market with a compliance architecture that is fragmented, slow, nationally uneven, and heavily dependent on individual interpretation.

That architecture produces market inconsistency that is easy to misunderstand. It does not always appear as outright non-compliance. More often, it appears as contradictory compliance: one institution exits a customer that another institution onboards; one regulator tolerates a product design that another questions; one sponsor bank accepts a fintech's KYB process while another demands additional layers of documentary evidence; one compliance officer treats a payment corridor as manageable while another treats it as categorically unacceptable.

The European payment sector's AML problem is partly legal, partly technological, and partly organizational. The same risk-based approach that gives firms flexibility also gives compliance teams wide discretion. When discretion is exercised under the threat of fines, license restrictions, personal accountability, and reputational harm, the safer internal choice is often defensive over-compliance.

Origins of Regulatory Fragmentation

The European payment sector is undergoing a major AML transformation because the older decentralized regime failed to deliver consistent outcomes. National transposition produced discrepancies in customer due diligence, transaction monitoring, suspicious transaction reporting, and supervisory enforcement.

In an interconnected payment market, that structure is inherently strained. Payment rails cross borders instantly, while compliance obligations remain tied to national licensing regimes, local supervisory interpretations, and institution-specific risk policies.

Divergent National Enforcement

European Banking Authority reviews have repeatedly highlighted the unevenness of AML/CFT supervision across EU and EEA jurisdictions. Even where national competent authorities improved their strategies and supervisory plans, the underlying variance remained significant.

The treatment of virtual IBANs is a useful example. Different competent authorities have interpreted the features of virtual IBANs, the SEPA Regulation, and relevant ISO standards differently. That inconsistency creates blind spots that illicit actors can exploit to layer and conceal funds through jurisdictional arbitrage.

The same problem appears in crypto-assets. Regulators may share broad concerns, but legal obligations, supervisory enforcement, and institutional implementation often diverge sharply. For payment providers operating across borders, the practical result is uncertainty: the same product or customer flow may be acceptable in one jurisdiction but heavily restricted in another.

This uncertainty matters because payment firms do not operate in tidy national silos. A payment institution licensed in one member state may serve merchants, platforms, consumers, counterparties, and banks across many others. Its operating model may involve safeguarding accounts, correspondent arrangements, outsourcing vendors, card schemes, SEPA rails, virtual IBAN structures, embedded finance partners, and crypto exposure. Each layer adds another supervisor, contractual risk appetite, or interpretive standard.

The old directive-led framework therefore created two layers of fragmentation. The first was formal fragmentation: different national laws, reporting channels, registers, supervisory practices, and enforcement traditions. The second was informal fragmentation: the private compliance standards imposed by banking partners, payment networks, auditors, investors, and boards. A fintech might satisfy its legal obligations but still be unable to operate because its sponsor bank applies a stricter internal standard.

That is why regulatory arbitrage was not only a matter of bad actors shopping for weak jurisdictions. It also became a commercial reality for legitimate firms trying to find a licensing environment, bank partner, and supervisory posture that made their business model viable. The Single Market promised passportable financial services. In practice, AML implementation often made that passport contingent on local interpretation.

High-Risk Third Countries and Localized Execution

Cross-border payments involving high-risk third countries expose the same weakness. EU law requires enhanced due diligence when transactions or business relationships involve jurisdictions with strategic AML/CFT deficiencies. The baseline is heavily influenced by the Financial Action Task Force's grey list, while the European Commission updates the EU high-risk list through delegated regulations.

For example, delegated regulations entering into force on January 29, 2026 added Bolivia, the British Virgin Islands, and the Russian Federation to the EU high-risk list. Burkina Faso, Mali, Mozambique, Nigeria, South Africa, and Tanzania were removed after implementing action plans.

The list is centralized, but execution is not. "Enhanced vigilance" may mean one thing to a German-licensed processor and another to a Maltese or Cypriot peer. One firm may require several layers of source-of-funds evidence; another may rely on automated checks. Both may claim to satisfy the same requirement.

This is the practical effect of decentralized AML: similar risk scenarios can produce different outcomes depending on licensing geography, banking partner expectations, and the risk culture of the compliance function.

The problem becomes sharper when lists change. A newly added high-risk jurisdiction does not merely trigger a policy update. It can force changes to onboarding questionnaires, risk-scoring logic, payment screening rules, customer communication templates, enhanced due diligence workflows, case management queues, and board risk reporting. If a payment company operates across several markets, each local team may interpret the change differently.

Removal from a list is not necessarily symmetrical. A jurisdiction may be formally de-escalated, but many institutions will not immediately reduce controls. They may continue to treat the country as high risk because of internal policy lag, sponsor-bank expectations, historical experience, or fear that a regulator will later question the decision. In theory, delisting should reduce friction. In practice, institutional risk memory can persist long after the legal trigger has changed.

That asymmetry drives over-compliance. Escalations are fast because they are defensive. De-escalations are slow because they require someone to accept risk. In a fragmented environment, few compliance officers are rewarded for making commerce smoother. Many are judged harshly if a later issue makes their decision look permissive.

The Cost Burden of Compliance

AML compliance is no longer a background cost of doing business. It affects payment company profitability, product design, and market access.

Industry studies put the annual cost of financial crime compliance across Europe, the Middle East, and Africa at $85 billion. Nearly all surveyed institutions reported cost increases, and a large majority said reducing compliance costs had become a strategic priority.

The drivers are straightforward. Regulation keeps expanding, legacy monitoring systems are poorly suited to real-time digital payments, and alert volumes rise with transaction volumes. Around 78% of EMEA firms report that screening workloads and alert volumes are increasing alongside payment volumes.

For payment service providers, the compliance cost problem is especially acute because margins are often thin and volume-driven. A traditional bank may absorb compliance cost across lending, deposits, wealth management, treasury, and corporate banking. A payment company may depend on transaction fees, interchange economics, subscription revenue, or embedded finance spreads. When alert volumes rise linearly with payments but compliance staffing costs rise faster than revenue, the business model becomes fragile.

This creates a trap. Firms need scale to survive, but scale creates more alerts, onboarding reviews, sanctions checks, customer refresh cycles, policy exceptions, and audit evidence. If the control architecture is not scalable, growth becomes a regulatory liability. A company can acquire customers faster than it can understand them.

Legacy systems intensify the trap. Many monitoring engines were built for slower banking environments where batch processing and retrospective review were acceptable. Modern payments require real-time or near-real-time decisions across cards, instant payments, wallets, cross-border transfers, marketplace payouts, merchant acquiring, crypto flows, and embedded finance. A static rules engine designed around blunt thresholds is poorly matched to that environment.

The Compliance Talent Shortage

The human side is also strained. The industry faces a shortage of AML, KYC, sanctions, and financial crime professionals. Some surveys report that 43% of global banks have critical regulatory work going undone because of staffing gaps, while senior compliance vacancies can remain open for roughly 18 months.

In hubs such as Luxembourg, Amsterdam, and Frankfurt, competition for compliance talent has inflated wages and increased poaching. When teams cannot be staffed properly, backlogs grow, onboarding deadlines slip, and investigation quality declines.

The talent shortage also changes internal power dynamics. A strong senior compliance officer becomes both expensive and hard to replace. Firms may tolerate highly conservative decisions because losing that person could be worse than accepting commercial friction. Conversely, weaker firms may leave underqualified staff to interpret complex rules because they cannot recruit experienced personnel. Both outcomes are risky.

The problem is not simply headcount. AML work requires domain judgment: understanding corporate ownership structures, sanctions evasion patterns, typologies, payment rails, source-of-funds evidence, customer behavior, and regulatory expectations. That expertise takes time to build. When experienced analysts leave, institutions lose institutional memory about previous escalations, model tuning decisions, regulatory feedback, and customer risk patterns.

This is why staffing shortages directly affect enforcement exposure. Backlogs do not merely slow the business. They can delay suspicious activity reporting, weaken enhanced due diligence, reduce the quality of customer refreshes, and create audit trails showing that the firm knew work was overdue. In AML, operational delay can become legal evidence.

False Positives and Payment Bottlenecks

The most visible operational consequence is the payment bottleneck: legitimate liquidity is trapped because a transaction is held for compliance review. This can create cash-flow problems for businesses that rely on predictable settlement.

False positives are the main mechanism. In sanctions screening and transaction monitoring, a false positive occurs when a legitimate customer or transaction is incorrectly flagged as suspicious. Legacy rule-based systems rely on static thresholds, rigid keyword matching, and simple name similarity. They often fail to understand context.

False positive rates in traditional monitoring environments regularly exceed 90%. That means most alerts consume analyst time without identifying real risk. Every unnecessary alert pulls scarce compliance capacity away from genuine financial crime typologies and increases the probability that important cases are handled late or poorly.

False positives are not harmless. They freeze money, frustrate customers, slow onboarding, increase abandonment, and create internal conflict between product, operations, and compliance. A merchant waiting for settlement may experience a compliance hold as a liquidity shock. A freelancer or small business may have no practical way to provide the documents requested within the required timeframe. A platform payout delay may cascade into reputational harm for the platform itself.

The institutional consequences are just as serious. High false positive rates normalize alert closure. Analysts become habituated to low-quality alerts, which increases the risk that a genuine typology is treated as routine noise. Managers respond by creating productivity targets, which can further incentivize fast closure instead of deep analysis. Regulators then scrutinize whether alerts were reviewed with enough care, whether escalation thresholds were appropriate, and whether the firm filed reports on time.

This is the circular logic of weak compliance technology: bad rules generate excessive alerts; excessive alerts create backlogs; backlogs produce pressure to close cases quickly; rushed closures reduce investigative quality; poor quality attracts supervisory criticism; supervisory criticism leads firms to add more rules; more rules generate more alerts.

Payment bottlenecks are the economy-facing expression of that cycle. They are not just internal workflow problems. They are points where compliance uncertainty converts into delayed liquidity.

The Compliance Officer's Role

The legal framework says firms must use a risk-based approach. In theory, this allows institutions to allocate resources efficiently: enhanced due diligence for high-risk vectors, lighter treatment for low-risk commerce.

In practice, financial crime risk is hard to quantify. Guidance is often principle-based, and the specific treatment of a customer, corridor, product, or transaction pattern depends on internal risk appetite. That appetite is ultimately interpreted by human beings operating under pressure.

Rational choice theory helps explain why compliance officers skew defensive. The cost of being too permissive can include fines, license restrictions, reputational damage, and personal liability. The cost of being too conservative is usually borne by customers, product teams, or revenue lines. Under that incentive structure, over-compliance can be rational even when it is commercially damaging.

This is why two payment companies can face the same fact pattern and reach opposite decisions. A compliance leader comfortable with behavioral analytics and dynamic monitoring may approve a cross-border product with targeted controls. A more conservative officer may block the same product entirely. Both may believe they are applying the risk-based approach.

The danger runs in both directions. Over-compliance can block legitimate activity, but arbitrary business pressure on compliance can be equally damaging. Enforcement cases have shown that capping alerts or mechanically suppressing risk indicators to clear backlogs can produce regulatory consequences. Compliance cannot be treated as a quota to minimize; it needs enough authority and resources to operate honestly.

The compliance officer's position is difficult. Business teams often see compliance as a blocker. Regulators see compliance as the institution's first line of defense against abuse. Boards expect compliance to protect the license without destroying growth. Sponsor banks expect fintech partners to absorb strict controls. Customers expect instant access and minimal friction.

No single officer can satisfy all of those expectations through judgment alone. Yet in many firms, the risk-based approach collapses into individual discretion because the institution has not invested in clear risk appetite statements, reliable data, defensible analytics, documented escalation pathways, and board-level ownership. In that vacuum, personality fills the gap.

A commercially pragmatic compliance leader may be willing to accept managed risk if controls are measurable and evidence-backed. A more defensive leader may prefer categorical bans, extensive documentation, and manual sign-off. A less experienced leader may simply copy what a sponsor bank demands. A pressured leader may quietly narrow the alert funnel to keep operations moving. Each approach produces a different business outcome under the same formal legal framework.

This subjectivity matters because the incentives point in different directions. The law asks for proportionality. The institution asks for growth. The regulator asks for defensibility. The individual compliance officer, facing asymmetric downside, often chooses the path that is easiest to defend after the fact rather than the path that best balances risk and access in real time.

In a fragmented AML system, the compliance officer becomes the practical interpreter of the Single Market. The same transaction can be treated as manageable risk, excessive risk, or unacceptable risk depending on institutional psychology.

De-Risking: When Safety Becomes Exclusion

The clearest manifestation of conservative risk appetite is de-risking. Instead of managing specific customer risks, institutions terminate or restrict entire categories of customers, geographies, or business models because they are too costly or complex to monitor.

The European Banking Authority has identified de-risking as a major consumer issue, alongside payment fraud and indebtedness. Individuals and legitimate businesses face increasing difficulty opening or retaining payment accounts, even though those accounts are essential for economic participation.

The burden falls heavily on vulnerable populations, non-profits operating in higher-risk zones, SMEs with cross-border supply chains, freelancers, digital nomads, and non-bank payment institutions that depend on sponsor banks.

There is also a gap between regulatory perception and market reality. Some supervisory reports suggest unwarranted de-risking is decreasing. Market participants report something different: correspondent banking networks continue to shrink, non-bank PSPs struggle to maintain banking relationships, and sponsor banks impose requirements that go far beyond statutory minimums.

This is gold-plating: the implementation of controls that exceed legal requirements because the institution wants to avoid any plausible enforcement exposure. For fintechs, it can become existential. A firm may design a proportionate, digital-first onboarding experience, only to find that its banking partner demands stricter controls than the law itself requires.

De-risking is especially damaging because it pushes risk out of visible, regulated channels. When legitimate customers lose access to mainstream payment services, they may turn to informal networks, poorly supervised intermediaries, cash-heavy arrangements, or offshore providers. The original risk does not disappear. It becomes harder to monitor.

Non-profit organizations illustrate the problem clearly. A charity operating in or near a conflict zone may have an obvious humanitarian purpose, but its geography, counterparties, and cash-flow patterns can trigger enhanced scrutiny. A bank may decide that the revenue from the relationship does not justify the monitoring burden. The charity is then excluded not because it is criminal, but because it is operationally inconvenient.

SMEs face a similar problem in cross-border trade. A small importer dealing with suppliers in a higher-risk region may be asked for documentation it cannot realistically obtain, especially when supplier ownership, local registries, or banking records are incomplete. The risk-based approach theoretically allows nuance. In practice, the institution may simply decline the relationship.

For non-bank PSPs, the de-risking problem is amplified by dependence on sponsor banks and safeguarding arrangements. A sponsor bank's compliance department may impose rules that the fintech must pass down to its own customers. The fintech then becomes the operational face of a risk appetite it does not fully control. This can make product design unstable: an onboarding flow that works today may fail tomorrow if a bank partner changes its interpretation.

Enforcement Case Studies

Recent enforcement actions show that neither innovation nor scale protects a firm whose financial crime controls fail to keep pace with growth.

Digital challenger banks have been fined where customer acquisition outpaced sanctions screening and monitoring capacity. Starling Bank received an FCA penalty after automated sanctions screening failed to scale with rapid user growth. Revolut faced a Lithuanian fine for inadequate AML monitoring protocols. These cases show that a superficial compliance layer added after growth is not enough.

The Lithuanian EMI scandal illustrates the danger of regulatory arbitrage. Lithuania built a fintech-friendly licensing environment, but rapid growth was not matched by equivalent supervisory depth. A licensed EMI allegedly facilitated around EUR2 billion in laundering through shell companies and criminal networks. The case shows how a local supervisory gap can become a Europe-wide vulnerability when a license provides access to SEPA payment rails.

The TD Bank enforcement action in the United States added another lesson for European institutions. The financial penalty was large, but the asset cap was more strategically damaging. By limiting growth, regulators showed that AML failures can trigger operating constraints, not just fines. European supervisors have taken note, and payment institutions increasingly face onboarding restrictions, license pressure, and business model constraints when controls are not credible.

For European payment firms, the lesson is clear. Regulators are no longer satisfied with policies that look correct on paper. They expect controls to scale with the business, monitoring scenarios to be maintained, alerts to be investigated, suspicious activity to be reported, and governance to identify resource gaps before they become systemic failures.

The "growth-at-all-costs" model is therefore incompatible with regulated payments. A firm cannot treat AML as a late-stage operational layer added after product-market fit. In payments, compliance is part of the product's load-bearing structure. It determines which customers can be served, which corridors can be opened, which banking partners will participate, which licenses can be maintained, and which investors will tolerate the risk.

The Lithuanian EMI scandal also shows that formal licensing is not enough. Criminal actors exploit the difference between legal permission and supervisory capacity. A license can provide access to payment infrastructure, but if the underlying controls are performative, that license becomes a laundering tool. This is the type of vulnerability that centralized EU supervision is designed to address.

Conclusion

The decentralized AML model created an unstable operating environment for European payments. Fragmented national implementation encouraged arbitrage, divergent supervision produced inconsistent outcomes, and the risk-based approach placed enormous discretion in the hands of individual compliance officers.

The result is not just higher cost. It is payment friction, financial exclusion, delayed onboarding, false positive overload, sponsor-bank conservatism, and enforcement risk. The old model forced payment companies to navigate a market where the same transaction could be treated differently depending on jurisdiction, institution, and risk culture.

Part 2 examines the EU's attempted solution: AMLA, the Single Rulebook, and the shift toward centralized supervision. It also asks whether centralization will solve the problem or simply replace fragmented ambiguity with rigid, continent-wide operational pressure.

Fragmentation did not merely inconvenience compliance teams. It shaped the structure of the market. It rewarded jurisdictional selection, increased dependence on private risk appetite, made sponsor-bank relationships decisive, and converted compliance officers into de facto gatekeepers of product strategy.

That is why the transition to AMLA matters so much. It is not a narrow institutional reform. It is an attempt to change the operating logic of European AML from national interpretation to supranational standardization. Whether that change will reduce friction or simply centralize it is the subject of Part 2.

Works Cited

• Nasdaq Verafin, "Financial Crime Insights: Europe."
• EUR-Lex, "Directive (EU) 2015/849."
• EUR-Lex, "Directive (EU) 2018/843."
• EUR-Lex, "Directive (EU) 2018/1673."
• EUR-Lex, "Regulation (EU) 2023/1113."
• EUR-Lex, "Regulation (EU) 2023/1114."
• Thomson Reuters, "Thomson Reuters 2016 Know Your Customer Surveys."
• The Global Treasurer, "KYC Pain: Financial institutions and their clients still struggling with ongoing challenges."
• Fenergo, "Know Your Customer: 2022 trends."
• European Central Bank, "AMLA and ECB Banking Supervision: strengthening cooperation."
• Institute of International Finance, "The Evolution of the AML/CFT Landscape Under the New European Anti-Money Laundering Authority."
• FIAU, "AMLA: A New Chapter for Europe's AML/CFT Framework."
• Taylor & Francis, "The New EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism."
• KPMG, "Regulatory insights."
• European Banking Authority, "Opinion of the European Banking Authority on money laundering and terrorist financing risks affecting the EU's financial sector."
• Bird & Bird, "EU List of high-risk countries and jurisdictions for money laundering and terrorism financing amended."
• European Commission, "Anti-money laundering and countering the financing of terrorism at international level."
• Garrett & Fields, "The 2025 Compliance Talent Crisis."
• Harmoney, "Facing compliance challenges: talent shortages, alert overload and regulatory change."
• Selby Jennings, "The Compliance Market in Europe."
• SGH Warsaw School of Economics, "Payment bottlenecks in Poland and in the European Union."
• Napier AI, "How to reduce false positives in client and transaction screening."
• Silent Eight, "2025 Trends in AML and Financial Crime Compliance."
• Fenergo, "4 Anti Money Laundering (AML) Requirements for Payment Processors."
• Horizon Research Publishing, "Determinant of Compliance Perceptions among Bank Officers towards Anti-Money Laundering."
• Compliance Week, "Survey: Firms Still Struggle Greatly with AML 'Culture of Compliance'."
• FCA, "Drivers & Impacts of Derisking."
• European Banking Authority, "EBA identifies payment fraud, indebtedness and de-risking as key issues affecting consumers in the EU."
• Swift, "Addressing the unintended consequences of de-risking."
• ResearchGate, "'De-Risking', De-Banking and Denials of Bank Services: An Over-Compliance Dilemma?"
• U.S. Department of the Treasury, "The Department of the Treasury's De-Risking Strategy."
• International Finance Magazine, "Europe's compliance crackdown."
• EIMF, "Lessons from Financial Crime and Regulatory Compliance Enforcement Cases."
• Fenergo, "Scandal-as-a-Service: AML Lessons from Lithuania's EUR2 Billion Case."
• FATF, "Anti-money laundering and counter-terrorist financing measures Lithuania."