Source: OJ L, 2024/1640, 19.6.2024

Current language: EN

Article 40 Risk-based supervision

Summary What does Article 40 of the Sixth anti-money laundering (AML 6) directive say?

This article establishes the core requirement for supervisors to adopt a risk-based approach to AML/CFT supervision.

It builds directly on Article 37, which sets out the general obligation for Member States to ensure adequate supervision, by detailing how that supervision must be calibrated in practice.

The article requires supervisors to ground their work in a genuine understanding of the money laundering and terrorist financing risks in their jurisdiction, and to let that risk picture drive the frequency and intensity of their supervisory activities.

It also mandates annual supervisory programmes, public activity reporting, and tasks AMLA with developing both technical standards and guidelines to support consistent implementation across Member States.

Important points:

  • Supervisors are required to base the frequency and intensity of on-site, off-site, and thematic supervision on the risk profile of obliged entities, and must draw up annual supervisory programmes accordingly.
  • AMLA is required to develop draft regulatory technical standards by 10 July 2026 setting out benchmarks and a methodology for assessing and classifying the inherent and residual risk profile of obliged entities, and to issue guidelines to supervisors by 10 July 2028.
  • Supervisors are required to prepare a detailed annual activity report, a non-confidential summary of which must be made public, covering the categories of obliged entities supervised, the supervisors' powers and tasks, and an overview of supervisory activities carried out.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Member States shall ensure that supervisors apply a risk-based approach to supervision. To that end, Member States shall ensure that they:

      1. have a clear understanding of the risks of money laundering and terrorist financing present in their Member State;

      2. assess all relevant information on the specific domestic and international risks associated with customers, products and services of the obliged entities;

      3. base the frequency and intensity of on-site, off-site and thematic supervision on the risk profile of obliged entities, and on the risks of money laundering and terrorist financing in that Member State.

    2. For the purposes of point (c) of the first subparagraph of this paragraph, supervisors shall draw up annual supervisory programmes, which shall take into account the timing and resources needed to react promptly in the event of objective and significant indications of breaches of Regulations (EU) 2024/1624 and (EU) 2023/1113.

    1. By 10 July 2026, AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall set out the benchmarks and a methodology for assessing and classifying the inherent and residual risk profile of obliged entities, as well as the frequency at which such risk profile shall be reviewed. Such frequency shall take into account any major events or developments in the management and operations of the obliged entity, as well as the nature and size of the business.

    2. Power is delegated to the Commission to supplement this Directive by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 49 to 52 of Regulation (EU) 2024/1620.

    1. By 10 July 2028, AMLA shall issue guidelines addressed to supervisors on:

      1. the characteristics of a risk-based approach to supervision;

      2. the measures to be put in place within supervisors to ensure adequate and effective supervision, including to train their staff;

      3. the steps to be taken when conducting supervision on a risk-sensitive basis.

    2. Where relevant, the guidelines referred to in the first subparagraph shall take into account the outcomes of the assessments carried out pursuant to Articles 30 and 35 of Regulation (EU) 2024/1620.

    1. Member States shall ensure that supervisors take into account the degree of discretion allowed to the obliged entity, and appropriately review the risk assessments underlying this discretion, and the adequacy of its internal policies, procedures and controls.

    1. Member States shall ensure that supervisors prepare a detailed annual activity report and that a summary of that report is made public. That summary shall not contain confidential information and shall include:

      1. the categories of obliged entities under the supervision and the number of obliged entities per category;

      2. a description of the powers with which the supervisors are entrusted and the tasks assigned to them and, where relevant, of mechanisms referred to in Article 37(4) in which they participate and, for the lead supervisor, a summary of the coordination activities carried out;

      3. an overview of the supervisory activities carried out.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod