AML & CFT obligations in embedded finance: who is responsible for what?

Embedded finance promises speed, scale, and seamless customer journeys. What it does not change is regulatory accountability.

As embedded finance models mature across the EU/EEA, one question keeps resurfacing at board level: who actually owns AML & CFT obligations when multiple parties are involved? The answer is often assumed to be “shared.” In reality, it is more nuanced - and misunderstanding it creates real regulatory risk.

Embedded finance does not dilute AML accountability

From a regulatory perspective - whether under FATF standards or supervisory expectations of authorities such as the FCA - embedded finance is not a loophole. The involvement of fintech platforms, program managers, processors, and distribution partners does not weaken AML/CFT obligations; it redistributes operational roles while preserving accountability.

Put simply: delegation is possible; abdication is not.

A practical responsibility split

In most embedded finance setups, responsibilities tend to align along the following lines:

Licensed entity (issuer / EMI / bank)

The regulated institution remains ultimately accountable for AML & CFT compliance. This includes the design of the AML framework, risk appetite definition, customer risk classification logic, and regulatory reporting. Supervisors will always look here first -regardless of how many partners sit downstream.

Program manager / orchestration layer

Program managers typically operationalize compliance: onboarding flows, transaction monitoring tooling, screening integrations, and escalation processes. While these functions may be outsourced, regulators expect effective oversight, clear contractual controls, and demonstrable ongoing supervision by the licensed entity.

Embedded finance partner (platform or merchant)

Distribution partners often control customer interaction and data origination. Their role is critical for customer due diligence inputs, behavioral signals, and use-case transparency. However, they do not become AML-regulated entities by default - unless local law explicitly says otherwise. Their obligations are usually contractual, not prudential.

Processors and technical vendors

These actors enable execution, not compliance ownership. They may support screening, monitoring, or reporting, but they do not assume regulatory responsibility merely by providing infrastructure.

Where boards often get it wrong

Two misconceptions frequently surface in embedded finance discussions:

1. “If a task is outsourced, the risk moves with it.” FATF guidance is clear: outsourcing does not transfer responsibility. Boards must ensure that controls remain effective, tested, and auditable.
2. “Shared responsibility means diluted liability.” Supervisors rarely accept “shared” as an answer. They expect clear lines of accountability, even in complex multi-party setups.

Why this matters now

EU regulators are increasingly focused on complex payment ecosystems, especially where customer reach scales faster than compliance maturity. Embedded finance models that lack clarity on AML & CFT ownership are more likely to face supervisory friction, remediation demands, or structural adjustments later.

The takeaway is strategic rather than technical: AML & CFT should be treated as a design parameter, not an afterthought delegated down the stack.

Embedded finance reshapes delivery models - but not regulatory expectations. The real question is not whether AML obligations apply, but whether ownership is clearly defined from day one.