The Business-Wide Risk Assessment, Promoted: From Guideline Concept to Named Regulation

The phrase "business-wide risk assessment" appears 13 times in Regulation (EU) 2024/1624, the AMLR. In the current Level 2 regulation, it appears zero times.

The obligation itself is not new. Under the current AML framework, obliged entities are required to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which they are exposed, proportionate to the nature and size of their business. But the Level 2 regulation is brief on this. It does not prescribe a methodology. And it does not use the phrase "business-wide risk assessment".

The detail lives elsewhere. Specifically, in the EBA's ML/TF Risk Factor Guidelines (EBA/GL/2021/02),a guideline instrument that is primarily designed to guide customer due diligence for individual business relationships. The BWRA appears there, but as one component within a broader document whose centre of gravity is customer-level risk assessment.

To build a proper picture of what a firm's BWRA should look like, compliance officers across the EU have to read the EBA guidelines, then cross-reference national supervisory expectations, national risk assessments, Moneyval feedback, supervisory dear-CEO letters, and enforcement decisions from across the Union. It is doable. It is not clean.

The new AML Package changes this materially.

1. The BWRA, now named and codified

Under Regulation (EU) 2024/1624 (AMLR),the business-wide risk assessment is the subject of a dedicated article. Article 10 is titled, explicitly, "Business-wide risk assessment". The phrase appears 13 times across the regulation, including the recitals, the training requirements in Article 12, and the group-wide framework in Article 16.

Structurally, the position of the BWRA within the AMLR is also telling. Chapter II of the regulation covers internal policies, procedures and controls of obliged entities. It opens with Article 9, which sets out what those internal policies, procedures and controls must include. Article 9(2)(a) names ten internal policies and procedures that every obliged entity must have in place, ranging from customer due diligence to record retention to employee training. The business-wide risk assessment is the first of those ten. Article 10 then dedicates a full article to defining what the BWRA is and how it should be drawn up.

Article 10(1) sets out the substantive obligation. Obliged entities must identify and assess the risks of money laundering, terrorist financing, and non-implementation and evasion of targeted financial sanctions to which they are exposed. It specifies the sources of information to be taken into account, including the risk variables and risk factors set out in the AMLR's own Annexes, the findings of the EU-level risk assessment under Article 7 of Directive (EU) 2024/1640, national risk assessments under Article 8, publications by international standard setters, and information on the customer base.

Article 10(2) sets out the governance. The BWRA must be documented, kept up to date, regularly reviewed, drawn up by the compliance officer, and approved by the management body in its management function. Where a supervisory function exists, the BWRA must also be communicated to it.

Article 10(4) gives AMLA the mandate. By 10 July 2026, AMLA is required to issue guidelines on the minimum requirements for the content of the BWRA and on the additional sources of information to be taken into account when carrying it out.

What this means in practice: The BWRA is no longer an obligation that compliance officers have to reconstruct from scattered guideline sources. It is a named, structured requirement in the binding regulation, listed first among the ten internal policies and procedures every obliged entity must have in place, with a dedicated guideline being finalised to support it.

2. AMLA's consultation on dedicated BWRA guidelines

On 16 April 2026, AMLA opened a public consultation on draft guidelines under Article 10(4) of the AMLR. The consultation runs until 15 July 2026. AMLA expects to issue the final guidelines in Q4 2026.

The draft guidelines propose four minimum requirements that all obliged entities, across both the financial and non-financial sectors, should apply when carrying out their BWRA. They are designed to be proportionate to the nature, size, and complexity of each entity, but the four-part structure is common to all.

The four minimum requirements are:

MR 1. Business and Operational Overview. The BWRA should begin with a concise and descriptive overview of the obliged entity's business and operations. That includes the legal and operational setup, group structure where applicable, customer base, products and services within the scope of the AMLR, delivery channels, geographical exposure, the organisation of the AML/CFT function, outsourcing arrangements, and any use of new or emerging technologies. The overview should be used as the basis for deciding how complex and elaborate the rest of the BWRA needs to be.

MR 2. Identification, Assessment and Classification of Inherent Risks. Obliged entities should analyse how money laundering, terrorist financing, and non-implementation and evasion of targeted financial sanctions risks could materialise within their business. The analysis should take a holistic view of all relevant risk factors relating to customers, products, services, transactions, delivery channels, and geographical exposure. Paragraph 23 of the draft guidelines instructs obliged entities to refer, at minimum, to the data points listed in the RTS on Article 40(2) of the AMLD when carrying out this step.

MR 3. Assessment of the Quality of Controls. Once inherent risks are identified, obliged entities should assess how effectively their AML, CFT, and targeted financial sanctions controls mitigate those risks. The assessment must cover both design and implementation. Design means whether adequate controls exist to address the risk. Implementation means whether the controls actually work in practice. Obliged entities should rely on compliance testing findings, internal and external audit results, and supervisory actions to support this assessment.

MR 4. Assessment and Classification of Residual Risks. The final step is to combine the inherent risk with the quality of controls to arrive at a residual risk view. The draft guidelines specifically acknowledge that inherently high-risk factors cannot be fully mitigated by controls alone, a point that is worth reading carefully. The residual risk score should then inform where the obliged entity prioritises remediation, resource allocation, and updates to policies, procedures and controls.

What this means in practice: The methodology is explicit: inherent risk → controls quality → residual risk. Every BWRA under the AMLR framework will be expected to work through those three steps, in that order, with the business and operational overview sitting above them as the context.

3. The RTS on Article 40(2) AMLD as a reference point

On 16 December 2025, AMLA published its Final Report on the draft RTS supplementing Directive (EU) 2024/1640 with regard to the methodology that supervisors will use to assess the inherent and residual risk profile of credit and financial institutions. This is the technical standard that governs how supervisors will assess regulated entities under the new framework. It applies from 31 December 2027.

The RTS sets out a three-step methodology for supervisors. Article 2 covers the assessment of the inherent risk profile. Article 3 covers the assessment of the quality of AML/CFT controls. Article 4 covers the assessment and classification of the residual risk profile. The residual risk score is derived from the inherent risk score and the controls quality score using rules specified in Article 4(2).

The methodology for supervisors mirrors the methodology AMLA proposes for obliged entities in the BWRA guidelines: inherent risk → controls quality → residual risk. The classification bands are the same. Below 1.75 is Low. Between 1.75 and 2.50 is Medium. Between 2.50 and 3.25 is Substantial. At 3.25 or above is High.

Annex I of the RTS then sets out the data points supervisors will use. Section A lists the inherent risk data points, organised by customer, products and services, geographies, and distribution channels, and broken down further by sector. Credit institutions. Life insurance. Electronic money institutions. Payment institutions. Investment firms. Asset management companies. Crypto-asset service providers. Each sector has its own applicable set of indicators.

Section B lists the controls quality data points, organised into seven categories. Governance and compliance function. Internal controls and outsourcing. Risk assessment. Customer due diligence and monitoring. Transaction monitoring and suspicious activity reporting. Targeted financial sanctions and compliance with the Fund Transfers Regulation. Group-wide AML/CFT framework.

And this is where the two frameworks meet. AMLA's draft BWRA guidelines instruct obliged entities, when identifying their inherent risks, to refer at minimum to the data points listed in the RTS on Article 40(2) AMLD. That reference is explicit in paragraph 23 of the draft guidelines. The same data points that supervisors will use to score the firm are the data points obliged entities are expected to build their BWRA around.

What this means in practice: The RTS was written for regulators. But read in combination with the draft BWRA guidelines, it functions as the cheat sheet for the regulated. The data points in Annex I are what your supervisor will score you on. AMLA is telling you to use them as the starting point for your own assessment.

To make Annex I usable in practice, we have built a free Excel workbook that mirrors the data points sector by sector and operationalises the three-step methodology in the draft guidelines. Download the AMLR BWRA Workbook here.

4. What this means for obliged entities in practice

The implications for financial sector obliged entities across the EU are practical.

First, the BWRA must reflect the methodology in AMLA's draft guidelines: business and operational overview → inherent risks → controls quality → residual risks. A BWRA that does not clearly separate inherent risk from residual risk, or that skips the controls effectiveness step, will not align with the framework.

Second, the data foundation matters. The RTS Annex I is public, sector-specific, and detailed. Each sector, from credit institutions to investment firms to crypto-asset service providers, has its own applicable set of indicators spanning the customer base, the services offered, the jurisdictions of counterparties, and the distribution channels. These are quantitative indicators that can be extracted from existing systems if the data is organised to support it. A BWRA built on qualitative narrative alone, without the underlying numbers to back it up, is unlikely to withstand scrutiny.

Third, the controls assessment must go beyond policy existence. AMLA's draft guideline is explicit that controls quality must be assessed on both design and implementation. Having a policy in place is necessary. Demonstrating that the policy actually mitigates the risk in practice, with evidence drawn from compliance testing and internal audit, is where the assessment lives.

Fourth, the governance trail must be clean. The AMLR requires the BWRA to be drawn up by the compliance officer and approved by the management body in its management function. Where a supervisory body exists, it must also be communicated to it. The approval must be documented, dated, and based on a BWRA that is current.

Fifth, and perhaps most importantly, the same methodology that obliged entities apply internally is the methodology the RTS sets out for supervisors. The BWRA becomes an input to the supervisory dialogue. Where the firm's self-assessment diverges from the supervisor's assessment, that divergence is itself a signal. Being able to explain the basis for the difference, with reference to the data points in the RTS and the four minimum requirements in the BWRA guidelines, is what turns the BWRA from a compliance document into a supervisory instrument.

Know what is coming before it arrives.

Our seminar on Business-Wide Risk Assessment walks through the methodology step by step. Inherent risk, controls quality, residual risk. The material covers the same methodology the AMLR formalises in Article 10. It will be updated to reflect the final AMLA Guidelines once they are issued in Q4 2026.
Explore the BWRA seminar →

If you want to start drafting your AMLR Article 10 BWRA today, our free Excel workbook operationalises the three-step methodology for ten sectors of obliged entities. It mirrors the inherent risk data points listed in Annex I of the RTS under Article 40 (2) AMLD and the four minimum requirements set out in the draft Guidelines.
Download the AMLR BWRA Workbook →

Sources: Regulation (EU) 2024/1624 (AMLR),Article 10 and related provisions. AMLA Consultation Paper on Draft Guidelines under Article 10(4) AMLR, published 16 April 2026, deadline 15 July 2026. AMLA Final Report on Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of Directive (EU) 2024/1640, published 16 December 2025. EBA Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the ML/TF risk associated with individual business relationships and occasional transactions (EBA/GL/2021/02).