Even businesses that don’t offer crypto directly are finding themselves caught in the crossfire, especially if their clients, investors, or vendors are exposed. Think: a fintech app with crypto rewards, or a SaaS platform serving Web3 clients. Some fintech-forward providers continue to support compliant businesses in this space, but many mainstream banks are tightening their risk thresholds without warning.

The upcoming EU Anti-Money Laundering (AML) Package, expected to take effect by the end of 2025, will accelerate this trend. Financial institutions will face tougher obligations to identify and manage financial crime risk, including expanded expectations for due diligence on indirect exposure. While enforcement timelines will vary by entity and jurisdiction, the direction of travel is clear: more scrutiny, more offboarding, and lower tolerance for perceived risk.

Why it matters

1. The risk is indirect (and often difficult to see).

You may not be handling crypto yourself, but exposure through your network—clients, vendors, or backers—can still trigger concern. Some businesses have been de-banked with little explanation, though in places like the UK, banks are now required to give 90 days’ notice and justification.

2. AML regulation is expanding the risk perimeter.

The EU AML Package will apply to a wider range of entities, including certain digital platforms, depending on their function and exposure. The new rules introduce standardised due diligence and risk management requirements, along with a central AML Authority (AMLA).

3. It affects capital flow, payments, and trust.

Account closures or restrictions can delay funding rounds, disrupt payroll, or lead to lost clients. Even the perception of being “high risk” can erode business relationships and investor confidence.

What to do this quarter

1. Assess your financial infrastructure
   ☐ Map your exposure to regulated banking, FX, and payment providers
   ☐ Identify concentration risk (e.g. reliance on a single provider or jurisdiction)

2. Screen your client and partner base
   ☐ Are any of your customers or stakeholders involved in high-risk sectors (crypto, gambling, remittances, etc.)?
   ☐ Proactively document any steps you've taken to manage that exposure

3. Engage your providers early
   ☐ Be transparent with banks and payment platforms about your exposure and controls
   ☐ Ask about their evolving risk appetite—don’t wait to be surprised

4. Build banking resilience
   ☐ Open secondary accounts or lines with fintech-friendly providers
   ☐ Diversify payment rails across regions and entities where possible

5. Strengthen internal AML and risk processes
   ☐ Even if not legally required, demonstrate strong onboarding and monitoring
   ☐ Prepare documentation to show you understand financial crime risk and act on it

6. Brief senior leaders and investors
   ☐ Position de-banking as a strategic risk, not just an operational nuisance
   ☐ Communicate your plan for resilience and continuity

Bottom line:

Banking access is becoming more fragile, especially for fast-moving businesses with even indirect exposure to crypto. The ability to demonstrate proactive risk governance—not just regulatory compliance—may soon become a differentiator in investor due diligence, customer onboarding, and strategic partnerships.

Welcome to The Signal, a new mini-series on Modern Risk. Each week, we share a fast, early heads-up on emerging developments that could reshape risk, regulation, or strategy for forward-thinking businesses. Think of it as your early-warning system for what’s coming over the horizon.

Australia’s AI policy is heating up. The government is drafting a National AI Capability Plan, aiming to position the country as a global leader by 2028. Business groups, including the Business Council of Australia, are urging against over-regulation that could stifle innovation, but the direction is clear: mandatory guardrails for high-risk AI systems are coming.

Meanwhile, the EU is already there. From August 2025, the EU’s AI Act begins enforcement. Any company deploying AI in sectors like hiring, healthcare, infrastructure, or financial services must meet strict standards around data quality, transparency, and human oversight.

This is no longer just a tech issue; it’s a strategic, financial, and reputational one.

Why it matters

1. AI risk is now regulatory risk.

Just as cyber moved from IT to the boardroom, AI is heading the same way. If your business uses AI to make decisions that affect people or financial performance, you’ll be expected to demonstrate governance and control.

2. Global clients and capital will expect compliance.

Even if you don’t operate in the EU, expect to be asked about your AI controls. Corporate buyers, investors, and insurers are starting to screen for AI maturity just like they do with cybersecurity.

3. Insurance won’t cover governance gaps.

Insurers are watching. Expect changes in policy wordings, with exclusions around “algorithmic error” or “automated decision-making.” Poor governance could translate to limited cover (or no cover at all).

What to do this quarter

1. Map where AI is already in use
☐ Identify internal and third-party systems using AI or automation
☐ Prioritise high-risk use cases (e.g. hiring, scoring, underwriting, customer service)

2. Assign ownership
☐ Nominate an exec-level sponsor for AI governance
☐ Get risk, legal, tech, and operations in the same room

3. Benchmark against emerging standards
☐ Review frameworks like NIST AI RMF or ISO/IEC 42001
☐ Note any gaps in explainability, documentation, or human-in-the-loop controls

4. Review risk transfer and legal exposure
☐ Ask your broker how AI exclusions are evolving in cyber, PI, and D&O policies
☐ Audit contracts with AI vendors. Who carries the liability?

5. Brief the board
☐ Add AI risk to your next board or risk committee agenda
☐ Frame it as both a compliance horizon and a trust-building opportunity

6. Make a 90-day plan
☐ Don’t wait for regulation. Start with a short internal roadmap
☐ Show employees, investors, and partners that you’re ahead of the curve

Bottom line:

The voluntary window for AI governance is closing. Aligning early isn’t just smart risk management—it’s a competitive advantage.