RTS on assessment of inherent and residual risk of obliged entities

COMMISSION DELEGATED REGULATION (EU) No .../..

of XXX

supplementing Directive (EU) 2024/1640 of the European Parliament and of the Council with regards to regulatory technical standards setting out the benchmarks and methodology for assessing and classifying the inherent and residual risk profile of credit institutions and financial institutions, as well as the frequency at which it shall be reviewed

(Text with EEA relevance)
This is a draft act

This text has been parsed from the AMLA final report draft as published on 16 December 2025. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024, on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and in particular Article 40, paragraph 2, thereof,

Whereas:

Open full page
Recital 1

Directive (EU) 2024/1640 sets out the obligation for Member States to ensure that competent authorities apply a risk-based approach to supervision. As part of this, competent authorities should identify and assess the ML/TF risks to which obliged entities are exposed, as a result of the characteristics of their customers, the types of products, services or transactions they offer, the jurisdictions in which they operate and the distribution channels that they use.

Recital 2

Pursuant to Article 40(2) of Directive (EU) 2024/1640, AMLA is mandated to develop benchmarks and a methodology to ensure that the inherent and residual risk profiles of individual obliged entities can be assessed and classified in a consistent manner by all competent authorities.

Recital 3

This Regulation sets out benchmarks and a methodology for assessing and classifying the inherent and residual risk profile of credit institutions and financial institutions, as well as the frequency at which such risk profile shall be reviewed.

HAS ADOPTED THIS REGULATION:

  1. Article 1Definitions
  2. Article 2Assessment and classification of the inherent risk profile of credit institutions and financial institutions
  3. Article 3Assessment and classification of the quality of AML/CFT controls put in place by credit institutions and financial institutions
  4. Article 4Assessment and classification of the residual risk profile of credit institutions and financial institutions
  5. Article 5Timelines for and updates to the assessment and classification of the inherent and residual risk profile of credit institutions and financial institutions
  6. Article 6Entry into force
Annex
Annexes — not yet parsed

The annex below has not yet been parsed into Springlex. You can read it in the original source PDF.

  1. Annex I Data points, sub-categories and categories (starts at page 20 of the source PDF)

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

For the Commission

The President

[For the Commission

On behalf of the President]

[Position]

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod