RegRally Insights: Your Guide to AML/CTF Compliance, July 2025

ECOVIS ProventusLaw invites you to the new newsletter on AML and CTF. It is dedicated to everyone who wants to understand the latest trends and developments, get tips from our experts and deepen their knowledge.

Lithuania Amends AML/CFT Law to Align with EU Standards and Ease Compliance Burden

The Seimas of the Republic of Lithuania approved draft amendments to the Law on the Prevention of Money Laundering and Terrorist Financing (PPTFPĮ). While pending official signature, the key legal changes are already clear and mark a shift toward greater flexibility and EU alignment.

Key Amendments:

1. Powers of Attorney – Apostille/legalisation no longer required for documents issued in EU Member States.

2. Customer Due Diligence (CDD)—Institutions are no longer obliged to demand specific documents; instead, they must apply reasonable measures under a risk-based approach.

3. Data Sources—Financial institutions may now collect customer and beneficial ownership data from reliable sources other than official registers, enhancing flexibility.

4. Simplified Due Diligence (SDD)—The prescriptive list of low-risk scenarios is replaced by risk indicators, allowing a more adaptive assessment. The €1,000 threshold for e-money accounts has been abolished, and identity verification remains obligatory.

The recommendation of ECOVIS ProventusLaw:

• Update internal policies to remove apostille/legalisation requirements for EU-issued powers of attorney.
• Revise onboarding practices to incorporate the new “reasonable measures” standard for CDD.
• Enable access to reliable third-party data sources for ownership and identity verification.
• Adjust SDD procedures to reflect the shift from rule-based to indicator-based risk assessments; remove references to the €1,000 e-money threshold.
• Assess whether your institution is subject to AMLA supervision per EU Regulation 2024/1620 and prepare for potential annual supervisory fees.

Bank of Lithuania Mandates Real-Time IBAN Name Verification for All Euro Payments

The Bank of Lithuania announced a binding anti-fraud measure, effective 9 October 2025, requiring all euro area payment service providers (PSPs)—including banks, credit unions, EMIs, and PIs—to verify real-time beneficiary name for SEPA and instant euro payments.

Key Requirements

• Automatic pre-payment check: The name provided by the payer must be verified against the legal account holder of the IBAN in real-time via the PSP’s secure electronic channel (e.g., internet banking or app).
• Verification outcomes must be clearly shown as:

1. Full match

2. Near match (with suggested correction)

3. No match

4. Verification unavailable

• Payer discretion: Even if mismatched, payers can proceed, but assume liability for losses unless the PSP failed to perform or misperformed the check.
• Liability rules:
  • Payer liable if proceeding despite warning.
  • PSP liable if verification was not performed or failed and led to a misdirected payment.
• Anti-phishing safeguard: PSPs must not send verification or payment confirmations via emails or SMS with links—information must only be shared within official online platforms.

ECOVIS ProventusLaw Recommendations:

– Integrate real-time IBAN name checks into payment screens with visible result categories.

– Update user terms to clarify liability—payers accept risk if ignoring a mismatch.

– Define protocols for each verification outcome; prepare customer support for related inquiries.

– Ban out-of-band communications (e.g., email/SMS payment confirmations); include this in staff training.

– Train all staff on:

• New verification interface
• Legal implications
• Support procedures
• Fraud prevention policies

– Coordinate with IT & Compliance to:

• Implement accurate name-IBAN matching tools
• Ensure GDPR-compliant processing

– Test thoroughly before the 9 October 2025 go-live, including edge cases (e.g., near matches, downtime).

CJEU Confirms Bank of Lithuania’s Supervisory Authority Over Paysera

The Bank of Lithuania announced that the Court of Justice of the European Union (CJEU) had ruled in its favour, rejecting Paysera’s legal challenge to supervisory measures imposed by the central bank.

Key Points

• CJEU ruling: The Court upheld the discretion and authority of national regulators, confirming that the Bank of Lithuania had correctly applied AML and payment services (PSD2) rules under EU law.
• The judgment dismisses Paysera’s claims and validates the supervisory mandate of the Bank of Lithuania in enforcing compliance among payment service providers.
• The decision sets a precedent affirming that national financial supervisors can act within the EU’s anti-money laundering and payment regulation frameworks.

ECOVIS ProventusLaw Recommendations

– Ensure robust compliance with AML and PSD2 obligations, including real-time transaction monitoring, customer due diligence (CDD), and safeguarding of client funds.

– Maintain clear, documented procedures for engaging with regulators:

• Responding to audit and inspection queries
• Timely notification of breaches or incidents
• Transparent reporting structures

– Monitor EU-level case law and regulatory guidance to align with evolving interpretations of supervisory powers and compliance standards.

FATF Adopts Revised Travel Rule Standards for Cross-Border Payments

The Financial Action Task Force (FATF) adopted updated standards to Recommendation 16, widely known as the “Travel Rule”, to strengthen transparency and traceability in peer-to-peer (P2P) cross-border payments.

Key Changes

• For P2P transfers exceeding USD/EUR 1,000, financial institutions must now:
  • Collect and transmit standardised originator and beneficiary data:
    • Full name, address, date of birth
  • Emphasis is placed on preserving this data throughout the payment chain.
  • New standards mandate the use of fraud-prevention technologies, such as:
    • IBAN/name matching tools
    • Real-time recipient verification
  • Clarifications were also issued for:
    • Card-based transactions
    • Limited scope of exemptions

The revised standard is already in effect (June 2025), but institutions have until the end of 2030 to fully comply.

ECOVIS ProventusLaw Recommendations

– Upgrade IT systems to:

• Capture and transmit required Travel Rule data fields in a structured, interoperable format.
• Flag and manage transactions exceeding the EUR/USD 1,000

– Integrate anti-fraud solutions into payment platforms, such as:

• Real-time IBAN/name verification
• Automatic error detection to prevent mismatched or incomplete data

Bank of Lithuania: Credit Union Sector Profit Drops by Over 40% in Q1 2025

The Bank of Lithuania reported that the credit union sector posted a net profit of €2.8 million in the first quarter of 2025, marking a decline of more than 40% compared to €4.8 million in the same period last year.

The Bank of Lithuania emphasised the importance of maintaining capital buffers and risk management practices amid challenging market conditions.

ECOVIS ProventusLaw Recommendations:

– Review interest rate risk strategies to adapt pricing to higher funding costs
– Balance deposit growth with responsible lending to preserve margins
– Incorporate capital stress testing into planning frameworks
– Diversify revenue (e.g., grow non-interest income and boost efficiency)
– Maintain transparent reporting to regulators and boards to ensure accountability and compliance.

FATF Updates Grey List and Highlights Virtual Asset Compliance Gaps – June 2025

As of 13 June 2025, the Financial Action Task Force (FATF) issued updates to its list of jurisdictions under increased monitoring (commonly known as the “grey list”) and reiterated concerns over global virtual asset regulation gaps.

Added to the Grey List:

• Bolivia
• Virgin Islands (UK)

Removed from the Grey List:

• Croatia
• Mali
• Tanzania

These jurisdictions have either entered into or completed strategic action plans to address AML/CFT/CPF deficiencies.

High-Risk Jurisdictions (Call for Action)

• DPRK and Iran remain subject to countermeasures due to severe and persistent non-compliance with FATF standards.
• Myanmar (Burma) continues to require enhanced due diligence (EDD) but is not yet subject to countermeasures.

FATF emphasised that only a minority of countries have effectively implemented Recommendation 15 (governing virtual asset service providers – VASPs) and its Interpretive Note. This leaves major gaps in:

• Cross-border supervision
• Beneficial ownership transparency
• Travel Rule compliance.

ECOVIS ProventusLaw Compliance Recommendations:

1. EDD for Myanmar

• Apply enhanced due diligence for clients/transactions with links to Myanmar.
• Monitor for potential circumvention or indirect exposure.

2. Total Restriction on Iran & DPRK

• Prohibit transactions and correspondent banking with Iranian or North Korean entities.
• Follow FATF’s call for countermeasures, including blocking mechanisms.

3. Policy and Screening Updates

• Refresh internal grey list references.
• Update client onboarding, sanctions screening, and due diligence procedures in line with the revised FATF jurisdictional status.

4. Strengthen Virtual Asset Risk Controls

• Evaluate exposure to underregulated VASPs and crypto jurisdictions.
• Implement and audit controls aligned with Recommendation 15, including Travel Rule compliance, originator/beneficiary info capture, and ongoing risk monitoring.

The European Council of the European Union  

On 11 June 2025, the European Commission updated its list of high-risk third countries under the EU’s AML framework, identifying Algeria, Angola, Côte d’Ivoire, Kenya, Laos, Lebanon, Monaco, Namibia, Nepal, and Venezuela as new additions and, conversely, removing Barbados, Gibraltar, Jamaica, Panama, the Philippines, Senegal, Uganda, and the UAE from the list, thereby strengthening the EU’s capacity to target and mitigate systemic financial crime threats posed by jurisdictions with strategic AML/CFT deficiencies.

The recommendation of ECOVIS ProventusLaw:

• Apply enhanced due diligence to customers and transactions connected to newly listed high-risk jurisdictions, in line with EU AML Directive requirements.
• Adjust customer risk ratings and KYC profiles for entities and individuals from these jurisdictions, triggering periodic review and senior-level approval for established relationships.
• Document risk-based measures and decisions relating to enhanced scrutiny or restricted dealings with clients connected to the newly designated countries.

UK Financial Crime Enforcement Update – June 2025

The UK Financial Conduct Authority (FCA) has announced major enforcement successes in two high-profile criminal cases, reinforcing its commitment to combating financial crime, investor fraud, and market abuse.

On 27 June 2025, the UK Financial Conduct Authority (FCA) secured a guilty plea from John Charles Burford, sole director of Financial Trading Strategies Limited, concerning a £1 million fraud affecting over 100 investors.

On 19 June 2025, the FCA obtained convictions against Redinel Korfuzi, ex-analyst at Janus Henderson, and Oerta Korfuzi, his sister.

ECOVIS ProventusLaw Recommendations

• Reinforce investment promotion controls:
  Ensure all investment products and services are FCA-authorised. Conduct regular audits on promotional claims, fund performance disclosures, and investor communications.
• Strengthen insider risk monitoring:
  Financial institutions should deploy robust employee surveillance tools, trade restrictions, and pre-clearance mechanisms for personal transactions.
• Implement AML red flag training:
  Detect and escalate suspicious transactions, especially structured cash deposits, layering via CFDs, or trades with access to inside information.
• Document and test reporting procedures:
  Ensure suspicious activity reports (SARs) and internal whistleblowing channels are active, protected, and responsive.