Source: OJ L, 2024/1624, 19.6.2024Current language: EN
- Anti-money laundering
Basic legislative acts
- Anti-money laundering regulation (AMLR)
Article 10 Business-wide risk assessment
Summary What does Article 10 of the Anti-money laundering regulation (AMLR) say?
This article establishes the requirement for obliged entities to conduct a business-wide risk assessment covering their exposure to money laundering, terrorist financing, and the risks of non-implementation or evasion of targeted financial sanctions.
It feeds directly into Article 9, which requires obliged entities to have internal policies, procedures and controls in place, as the risk assessment underpins and informs those controls.
The article sets out the sources of information that must be fed into the assessment — ranging from Union-level and national risk assessments to international standards and the entity's own customer base — and critically requires that a new risk assessment be conducted before launching new products, services, or entering new markets.
The resulting document must be approved by management, kept current, and made available to supervisors on request.
Important points:
- Conduct and document a business-wide risk assessment covering money laundering, terrorist financing, and sanctions evasion risks, drawing on a defined set of external and internal sources.
- Carry out a specific risk assessment before launching new products, services, business practices, or expanding into new customer segments or geographical areas.
- Supervisors may waive the requirement for individual documented risk assessments for certain non-financial sector obliged entities where sector-specific risks are already clear and understood.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Obliged entities shall take appropriate measures, proportionate to the nature of their business, including its risks and complexity, and their size, to identify and assess the risks of money laundering and terrorist financing to which they are exposed, as well as the risks of non-implementation and evasion of targeted financial sanctions, taking into account at least:
the risk variables set out in Annex I and the risk factors set out in Annexes II and III;
the findings of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640;
the findings of the national risk assessments carried out by the Member States pursuant to Article 8 of Directive (EU) 2024/1640, as well as of any relevant sector-specific risk assessment carried out by the Member States;
relevant information published by international standard setters in the AML/CFT area or, at the level of the Union, relevant publications by the Commission or by AMLA;
information on money laundering and terrorist financing risks provided by competent authorities;
information on the customer base.
Prior to the launch of new products, services or business practices, including the use of new delivery channels and new or developing technologies, in conjunction with new or pre-existing products and services or before starting to provide an existing service or product to a new customer segment or in a new geographical area, obliged entities shall identify and assess, in particular, the related money laundering and terrorist financing risks and take appropriate measures to manage and mitigate those risks.
The business-wide risk assessment drawn up by the obliged entity pursuant to paragraph 1 shall be documented, kept up-to-date and regularly reviewed, including where any internal or external events significantly affect the money laundering and terrorist financing risks associated with the activities, products, transactions, delivery channels, customers or geographical zones of activities of the obliged entity. It shall be made available to supervisors upon request.
The business-wide risk assessment shall be drawn up by the compliance officer and approved by the management body in its management function and, where such body exists, communicated to the management body in its supervisory function.
With the exception of credit institutions, financial institutions, crowdfunding service providers and crowdfunding intermediaries, supervisors may decide that individual documented business-wide risk assessments are not required where the specific risks inherent in the sector are clear and understood.
By 10 July 2026, AMLA shall issue guidelines on the minimum requirements for the content of the business-wide risk assessment drawn up by the obliged entity pursuant to paragraph 1, and on the additional sources of information to be taken into account when carrying out the business-wide risk assessment.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
crypto-asset services
Definition
supervisor
Definition
financial mixed activity holding company
Definition
crypto-asset service provider
Definition
funds or other assets
Definition
credit institution
- a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013;
- a branch of a credit institution, as defined in Article 4(1), point (17), of Regulation (EU) No 575/2013, when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
crypto-asset
Definition
property
Definition
management body
Definition
crowdfunding service provider
Definition
competent authority
- a Financial Intelligence Unit (FIU);
- a supervisory authority;
- a public authority that has the function of investigating or prosecuting money laundering, its predicate offences or terrorist financing, or that has the function of tracing, seizing or freezing and confiscating criminal assets;
- a public authority with designated responsibilities for combating money laundering or terrorist financing;
Definition
terrorist financing
Definition
management body in its supervisory function
Definition
targeted financial sanctions
Definition
money laundering
Definition
financial institution
- an undertaking other than a credit institution or an investment firm, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council(32), including the activities of currency exchange offices (bureaux de change), but excluding the activities referred to in point (8) of Annex I to Directive (EU) 2015/2366, or an undertaking the principal activity of which is to acquire holdings, including a financial holding company, a mixed financial holding company and a financial mixed activity holding company;
- an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council(33), insofar as it carries out life or other investment-related assurance activities covered by that Directive, including insurance holding companies and mixed-activity insurance holding companies as defined, respectively, in Article 212(1), points (f) and (g), of Directive 2009/138/EC;
- an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 where it acts with respect to life insurance and other investment-related insurance services, with the exception of an insurance intermediary that does not collect premiums or amounts intended for the customer and which acts under the responsibility of one or more insurance undertakings or intermediaries for the products which concern them respectively;
- an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU of the European Parliament and of the Council(34);
- a collective investment undertaking, in particular:
- an undertaking for collective investment in transferable securities (UCITS) as defined in Article 1(2) of Directive 2009/65/EC and its management company as defined in Article 2(1), point (b), of that Directive or an investment company authorised in accordance with that Directive and which has not designated a management company, that makes available for purchase units of UCITS in the Union;
- an alternative investment fund as defined in Article 4(1), point (a), of Directive 2011/61/EU and its alternative investment fund manager as defined in Article 4(1), point (b), of that Directive that fall within the scope set out in Article 2 of that Directive;
- a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 of the European Parliament and of the Council(35);
- a creditor as defined in Article 4, point (2), of Directive 2014/17/EU of the European Parliament and of the Council(36) and in Article 3, point (b), of Directive 2008/48/EC of the European Parliament and of the Council(37);
- a credit intermediary as defined in Article 4, point (5), of Directive 2014/17/EU and in Article 3, point (f), of Directive 2008/48/EC, when holding the funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 in connection with the credit agreement, with the exception of the credit intermediary carrying out activities under the responsibility of one or more creditors or credit intermediaries;
- a crypto-asset service provider;
- a branch of a financial institution referred to in points (a) to (i), when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
self-regulatory body
Definition
third country
Definition
funds
Definition
crowdfunding intermediary
- project owners, which are any natural or legal person seeking funding for projects, consisting of one or a set of predefined operations aiming at a particular objective, including fundraising for a particular cause or event irrespective of whether those projects are proposed to the public or to a limited number of funders; and
- funders, which are any natural or legal person contributing to the funding of projects, through loans, with or without interest, or donations, including where such donations entitle the donor to a non-material benefit;
Definition
supervisory authority
Definition
management body in its management function