Book a Discovery Call

How PSPs Can Future-Proof Screening with Operationally Intelligent Technology

Executive Summary

Cedric Iggiotti
Cedric Iggiotti

VP of Screening Product

In November 2024, the European Banking Authority (EBA) introduced guidelines on internal policies, procedures, and controls to ensure compliance with EU and national restrictive measures. These rules mark a significant regulatory shift for payment service providers (PSPs) in the EU—demanding more than just updated policies.

With a firm implementation deadline of December 30, 2025, PSPs must act now to ensure their systems, governance, and controls are operationally ready in time.

For those with cross-border exposure, these guidelines raise the bar: static screening methods, siloed detection systems, and weak auditability are no longer sufficient. The requirement now is for sanctions screening to be dynamic, transparent, integrated—with demonstrable and operationalized governance across systems, and workflows.

This white paper explores:

  • The key operational requirements of the EBA guidelines
  • Real-world implications for compliance and technology teams
  • How ThetaRay’s AI-powered platform supports PSPs in meeting (and exceeding) these expectations
  • Key industry enforcement actions that highlight the cost of non-compliance
01
The New Regulatory Landscape

The EBA Guidelines apply to all EBA-regulated entities, including fintechs, banks, and payment service providers (PSPs). A separate, tailored set of guidelines was also released for PSPs2, reflecting the high-speed, high-volume nature of their transactions.

The overarching goal? Ensure sanctions compliance is embedded into risk management—not bolted on. Key areas of focus include:

The message is clear: compliance is no longer a documentation exercise—it must be demonstrably embedded in how PSPs operate.

02
Aligning Screening Tools with EBA Mandates

The guidelines emphasize that static, siloed, or rule-only screening systems are no longer acceptable. Institutions must demonstrate real-time operational effectiveness across multiple screening dimensions.

Here’s how that translates into real-world requirements:

1

Risk-Based Screening of Customers and Transactions

Implication: Screening must cover both static (customer, ownership) and dynamic (transactional) data.

Operational Need:

  • Real-time or near-real-time screening of all payment messages, supporting global payment ecosystems.
  • Attribute-level screening, including nationality, residency, and control relationships.
  • Advanced name-matching with alias, transliteration, and partial match detection.
2

Screening Tool Calibration, Testing & Validation

Implication: Tools must be maintained to regulatory standards—tested, version controlled, and documented, with regular reviews.

Operational Need:

  • Track rule/threshold changes with full version control.
  • Conduct hit rate testing, precision/recall analysis, and tuning exercises.
  • Adopt model risk management for AI or fuzzy logic systems.
3

Daily Updates and List Management

Implication: Daily sanctions list updates are mandatory.

Operational Need:

  • Automatically ingest and reconcile EU, UN, OFSI, BAFA, and third-party lists.
  • Trigger automatic re-screening upon profile or list changes built into workflows.
  • Validate successful ingestion with corruption/error checks.
4

Ownership & Control Screening

Implication: Indirect control and beneficial ownership must be screened—not just names.

Operational Need:

  • Integrate UBO and shareholder data to entities owned ≥50% by listed individuals (per OFSI guidance).
  • Build control graphs to visualize indirect influence.
  • Trigger alerts based on networked risk relationships.
5

Governance, Roles & Documentation

Implication: Screening platforms must reflect organizational accountability.

Operational Need:

  • Role-based access controls and audit logs for traceable changes.
  • Clear separation of configuration vs. operational workflows.
  • Documented procedures traceable to system triggers.
6

Auditability and Reporting

Implication: PSPs must prove compliance through detailed documentation.

Operational Need:

  • Reports on hit volumes, false positives/negatives, and review metrics.
  • Exportable logs and system snapshots.
  • Review trail of every alert outcome andescalation.
7

Testing and UAT Environments

Implication: New configurations must be tested pre-production.

Operational Need:

  • Sandbox environments for scenario testing.
  • Synthetic data sets to simulate edge cases and emerging risk vectors.
8

Integration with Other Risk Systems

Implication: Screening is part of a broader AML ecosystem and must ensure connected risk visibility.

Operational Need:

  • Interoperability with transaction monitoring, and risk engines.
  • Unified case management systems to centralize reviews.

The Cost of Non-Compliance

Recent years have seen a sharp uptick in enforcement across the EU, UK, and U.S.—underscoring the risks of fragmented or outdated systems:

  • In 2025 Monzo Bank was fined by the FCA £21m due to customer due diligence (CDD) failures and high-risk customer onboarding with insufficient controls.
  • From March 2024-March 2025 regulators imposed over €36 million in AML fines, multiple PSPs in the EU received regulatory warnings for weak governance frameworks under the new EBA regime.
  • Ratepay, a German PSP, was fined €25,000 (≈ $28,260) in March 2025 for AML deficiencies.
  • B2BX Digital Exchange OÜ (Estonia) lost its license in February 2025 due to failures in customer due diligence and transaction monitoring.
  • Foxpay (Lithuania) also had its license revoked in November 2024 following governance and AML/CFT control failures

OFAC continues to issue monthly penalties for list-matching failures and indirect exposure via third-party entities—often for oversight rather than intent.

The takeaway: compliance failures are now systemic risk events—not operational lapses. Regulators expect integrated, auditable platforms backed by evidence—not just policies on paper. While implementation may carry upfront cost, these investments are expected to be offset by a reduced likelihood.

03
AI Powers AML Efficiency and Growth at Travelex - Global Case Study

The world’s largest foreign exchange group deployed ThetaRay Transaction Monitoring and Transaction Screening in under 3 months for optimization of domestic and cross-border transactions.

They required a rapid POC and deployment of the screening solutions in less than three weeks. ThetaRay delivered in record time because of its SaaS cloud infrastructure, enabling easy integration and scalability.

Travelex logo

After deployment, Travelex experienced:

75% to 95% reduction in the number of hits.

Drastic improvements in efficiency, false positive reduction reaching level of precision superior to
94%

“Using ThetaRay, we can now grow our business by 30 to 40%.

Celia Pizzi
Chief Compliance Officer Travelex

04
ThetaRay’s Response to the EBA Guidelines

At ThetaRay, we view the EBA’s guidelines as an essential step toward smarter, scalable, and more defensible compliance. Our AI-powered screening platform was engineered to meet the specific operational demands these rules introduce—without requiring PSPs to sacrifice performance or scalability.

Our Differentiators:
Advanced Matching Engine
A highly configurable, rule-based and AI-powered engine that uses advanced matching techniques to uncover hidden risk—across name cultures, scripts, and conventions.

Model Risk Management (MRM) Ready Infrastructure
Every match is fully traceable, explainable, and documented— with audit logs, version control, and threshold tracking to support both regulatory reviews and internal assurance.

Near Real-Time Delta Screening
Our system responds rapidly to changes in sanctions lists or customer profiles, enabling near real- time rescreening with minimal delay.

Integrated Compliance Ecosystem
Integration with ThetaRay’s Transaction Monitoring and Customer Risk Assessment solutions within a unified platform.

Our platform is built on four foundational pillars:
1 Effectiveness & efficiency, boost effectiveness to catch real risks, and improve efficiency to reduce noise
and workload in watchlist screening.
2 Adaptability, to adjust thresholds and match logic as risks evolve.
3 Transparency, to deliver regulator-ready visibility with supporting audit trails.
4 Performance, to scale across jurisdictions, products, and payment rails.

05
Summary – Turning Obligation to Advantage

The EBA’s guidance presents both a challenge and an opportunity. It urges institutions to move beyond legacy approaches—while offering a path to smarter, more scalable, and more defensible compliance.

To meet these expectations, PSPs must adopt screening systems that are:

  • Dynamic – able to adapt instantly to regulatory changes
  • Explainable – offering end-to-end traceability for every alert
  • Integrated – embedded within a broader risk management architecture
  • Auditable – enabling confidence in every decision

Those that meet these standards stand to gain far more than compliance alone:

  • Lower operational costs through automation and reduced false positives
  • Accelerated onboarding and case resolution through faster, more accurate investigations
  • Stronger regulatory relationships by demonstrating robust, auditable controls
  • Greater customer trust with visible governance and ethics built into the screening process

With the December 30, 2025 deadline approaching, the time to act is now. Institutions that proactively modernize their screening systems won’t just avoid fines—they’ll gain a lasting compliance advantage.

Glossary

EU (European Union)
A political and economic union of 27 member states primarily located in Europe. The EU develops and enforces legislation across a range of sectors, including financial regulation, anti-money laundering (AML), and sanctions enforcement, through harmonized directives and regulations.

UN (United Nations)
An international organization comprising 193 member states, established to promote peace, security, and cooperation. The UN Security Council issues binding sanctions that member countries are obligated to enforce, often forming the basis of national and regional AML and counter-terrorism financing (CTF) frameworks.

OFSI (Office of Financial Sanctions Implementation)
A UK government agency under HM Treasury responsible for enforcing financial sanctions. OFSI maintains the UK sanctions list, provides guidance to financial institutions, and ensures compliance through audits and penalties.

BAFA (Federal Office for Economic Affairs and Export Control – Germany)
Germany’s national authority overseeing export controls and financial sanctions compliance. BAFA ensures that entities operating in or through Germany adhere to national and EU-level restrictive measures.

UBO (Ultimate Beneficial Owner)
The individual(s) who ultimately own or control a legal entity or arrangement, such as a company or trust. UBOs are the natural persons behind layers of ownership or control, and identifying them is a key requirement in AML and KYC regulations to prevent the misuse of corporate structures for money laundering or terrorist financing.

PSP (Payment Service Provider)
A financial entity that enables the execution of payment transactions, including credit transfers, direct debits, and card payments. PSPs can include banks, fintechs, and third-party providers regulated under PSD2 in the EU.

CASP (Crypto Asset Service Provider)
A business or platform that offers services involving crypto-assets, such as exchange, custody, or transfer. CASPs are subject to evolving AML/CFT regulations in the EU under frameworks like MiCA and AMLD6, and are increasingly under direct scrutiny from AMLA.

Sources:
1 EBA/GL/2024/14
2 EBA/GL/2024/15