Source: OJ L, 2024/1620, 19.6.2024Current language: EN
- Anti-money laundering
Basic legislative acts
- Anti-money laundering authority regulation (AMLAR)
Article 12 Assessment of credit institutions and financial institutions for the purposes of selection for direct supervision
Summary What does Article 12 of the Anti-money laundering authority regulation (AMLAR) say?
This article establishes the periodic risk assessment process that the Authority (AMLA) uses to evaluate credit institutions, financial institutions, and their groups that operate across at least six Member States.
It is a foundational article that directly feeds into Article 13, which uses the risk classifications produced here to determine which entities qualify for direct supervision by the Authority as "selected obliged entities." The article sets out the full framework for this assessment: the scope of entities covered, the four-tier risk classification scale (low, medium, substantial, high), the categories of obliged entities to be assessed separately, and the specific risk indicators — covering customers, products, services, and geography — that underpin the methodology.
The Authority is required to develop regulatory technical standards to formalise the methodology, and to review the benchmarks at least every three years.
Important points:
- Supervisory authorities and the obliged entities subject to assessment are required to supply the Authority with any information necessary to carry out the periodic risk assessment.
- The Authority classifies each assessed entity's inherent and residual risk profile as low, medium, substantial, or high — and where an entity is part of a group, that classification is made at group-wide level.
- The Authority must develop draft regulatory technical standards setting out the full classification methodology and submit them to the Commission by 1 January 2026.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
For the purposes of carrying out the tasks listed in Article 5(2), the Authority, in collaboration with financial supervisors, shall carry out a periodic assessment of credit institutions and financial institutions, and groups of credit institutions and financial institutions, where they operate, whether through establishments or under the freedom to provide services, in at least six Member States, including the home Member State, regardless of whether the activities are carried out through infrastructure on the territory concerned or remotely.
The supervisory authorities, and the obliged entities subject to periodic assessment, shall supply the Authority with any information necessary to carry out the periodic assessment referred to in paragraph 1.
The inherent and residual risk profiles of an obliged entity assessed pursuant to paragraph 1 shall be classified by the Authority as low, medium, substantial or high, based on the benchmarks and following the methodology set out in the regulatory technical standards referred to in paragraph 7. Where the assessed obliged entity is part of a group of credit institutions or financial institutions, the risk profile shall be classified at group-wide level.
The methodology for classifying inherent and residual risk profiles shall be established separately for at least the following categories of obliged entities:
credit institutions;
bureaux de change;
collective investment undertakings;
credit providers other than credit institutions;
e-money institutions;
investment firms;
payment institutions;
life insurance undertakings;
life insurance intermediaries;
crypto-asset service providers;
other financial institutions.
For each category of obliged entities referred to in paragraph 4, the benchmarks for the assessment of inherent risk in the assessment methodology shall be based on the risk factor categories related to customers, products, services, transactions, delivery channels and geographical areas. The benchmarks shall be established for at least the following indicators of inherent risk in any Member State in which the obliged entities operate:
with respect to customer-related risk: the share of non-resident customers from third countries identified pursuant to Chapter III, Section 2, of Regulation (EU) 2024/1624 and the presence and share of customers identified as politically exposed persons;
with respect to products and services offered:
the significance and the trading volume of products and services identified as the most vulnerable to ML/TF risks either at the level of the internal market, in the risk assessment at Union level, or at the level of the country, in the national risk assessment;
for money remittance service providers, the significance of the aggregate annual emission and reception activities of each remitter in the countries identified pursuant to Chapter III, Section 2, of Regulation (EU) 2024/1624;
the relative volume of products, services and transactions that offer a considerable level of protection of clients’ privacy and identity or other form of anonymity;
with respect to geographical areas:
the annual volume of correspondent banking services and correspondent crypto-asset services, provided by Union financial sector entities in third countries identified pursuant to Chapter III, Section 2, of Regulation (EU) 2024/1624;
the number and share of correspondent banking clients and crypto-asset clients in third countries identified pursuant to Chapter III, Section 2, of Regulation (EU) 2024/1624.
For each category of obliged entity referred to in paragraph 4, the assessment of residual risk in the assessment methodology shall include benchmarks for the assessment of the quality of internal policies, controls and procedures put in place by obliged entities to mitigate their inherent risk.
The Authority shall develop draft regulatory technical standards specifying:
the minimum activities to be carried out by a credit institution or a financial institution under the freedom to provide services, whether through infrastructure or remotely, for it to be considered as operating in a Member State other than that where it is established;
the methodology based on the benchmarks referred to in paragraphs 5 and 6 for classifying the inherent and residual risk profiles of credit institutions or financial institutions, or groups of credit institutions or financial institutions, as low, medium, substantial or high.
The Authority shall submit those draft regulatory technical standards to the Commission by 1 January 2026.
The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Article 49 of this Regulation.
The Authority shall review the benchmarks and methodology at least every three years. Where amendments are required, the Authority shall submit amended draft regulatory technical standards to the Commission.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
crypto-asset services
Definition
supervisor
Definition
financial mixed activity holding company
Definition
crypto-asset service provider
Definition
credit institution
- a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013;
- a branch of a credit institution, as defined in Article 4(1), point (17), of Regulation (EU) No 575/2013, when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
politically exposed person
- in a Member State:
- heads of State, heads of government, ministers and deputy or assistant ministers;
- members of parliament or of similar legislative bodies;
- members of the governing bodies of political parties that hold seats in national executive or legislative bodies, or in regional or local executive or legislative bodies representing constituencies of at least 50 000 inhabitants;
- members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
- members of courts of auditors or of the boards of central banks;
- ambassadors, chargés d’affaires and high-ranking officers in the armed forces;
- members of the administrative, management or supervisory bodies of enterprises controlled under any of the relationships listed in Article 22 of Directive 2013/34/EU either by the state, or, where those enterprises qualify as medium sized or large undertakings or medium sized or large groups, as defined in Article 3(3), (4), (6) and (7) of that Directive, by regional or local authorities;
- heads of regional and local authorities, including groupings of municipalities and metropolitan regions, with at least 50 000 inhabitants;
- other prominent public functions provided for by Member States;
- in an international organisation:
- the highest ranking officials, their deputies and members of the board or equivalent functions of an international organisation;
- representatives to a Member State or to the Union;
- at Union level:
functions at the level of Union institutions and bodies that are equivalent to those listed in points (a) (i), (ii), (iv), (v) and (vi);
- in a third country:
functions that are equivalent to those listed in point (a);
Definition
parent undertaking
- for groups whose head office is located in the Union, an obliged entity that is a parent undertaking as defined in Article 2, point (9), of Directive 2013/34/EU that is not itself a subsidiary of another undertaking in the Union, provided that at least one subsidiary undertaking is an obliged entity;
- for groups whose head office is located outside of the Union, where at least two subsidiary undertakings are obliged entities established in the Union, an undertaking within that group established in the Union that:
- is an obliged entity;
- is an undertaking that is not a subsidiary of another undertaking that is an obliged entity established in the Union;
- has a sufficient prominence within the group and a sufficient understanding of the operations of the group that are subject to the requirements of this Regulation; and
- is given the responsibility of implementing group-wide requirements under Chapter II, Section 2 of this Regulation;
Definition
crypto-asset
Definition
establishment
- a branch or subsidiary;
- in the case of credit institutions and financial institutions, an infrastructure qualifying as an establishment under prudential regulation;
Definition
property
Definition
group
Definition
financial institution
- an undertaking other than a credit institution or an investment firm, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council(32), including the activities of currency exchange offices (bureaux de change), but excluding the activities referred to in point (8) of Annex I to Directive (EU) 2015/2366, or an undertaking the principal activity of which is to acquire holdings, including a financial holding company, a mixed financial holding company and a financial mixed activity holding company;
- an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council(33), insofar as it carries out life or other investment-related assurance activities covered by that Directive, including insurance holding companies and mixed-activity insurance holding companies as defined, respectively, in Article 212(1), points (f) and (g), of Directive 2009/138/EC;
- an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 where it acts with respect to life insurance and other investment-related insurance services, with the exception of an insurance intermediary that does not collect premiums or amounts intended for the customer and which acts under the responsibility of one or more insurance undertakings or intermediaries for the products which concern them respectively;
- an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU of the European Parliament and of the Council(34);
- a collective investment undertaking, in particular:
- an undertaking for collective investment in transferable securities (UCITS) as defined in Article 1(2) of Directive 2009/65/EC and its management company as defined in Article 2(1), point (b), of that Directive or an investment company authorised in accordance with that Directive and which has not designated a management company, that makes available for purchase units of UCITS in the Union;
- an alternative investment fund as defined in Article 4(1), point (a), of Directive 2011/61/EU and its alternative investment fund manager as defined in Article 4(1), point (b), of that Directive that fall within the scope set out in Article 2 of that Directive;
- a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 of the European Parliament and of the Council(35);
- a creditor as defined in Article 4, point (2), of Directive 2014/17/EU of the European Parliament and of the Council(36) and in Article 3, point (b), of Directive 2008/48/EC of the European Parliament and of the Council(37);
- a credit intermediary as defined in Article 4, point (5), of Directive 2014/17/EU and in Article 3, point (f), of Directive 2008/48/EC, when holding the funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 in connection with the credit agreement, with the exception of the credit intermediary carrying out activities under the responsibility of one or more creditors or credit intermediaries;
- a crypto-asset service provider;
- a branch of a financial institution referred to in points (a) to (i), when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
self-regulatory body
Definition
third country
Definition
funds
Definition
supervisory authority